Polyfill.js Supply Chain Attack

Avatar
Mark C. Dennison

 

If you have heard about the Polyfill.js Supply Chain Attack and have concerns or worries about it's potential impact on iMIS, rest assured that this is NOT an issue for iMIS.

“In this attack, a malicious actor that appears to be located in China acquired one of the most popular polyfill open-source projects a few months ago and infected the polyfill JavaScript code by injecting malicious scripts into the distributed polyfills. The attack primarily targeted mobile devices, selectively sampling sessions to remain stealthy and harder to detect. The malicious code was then used for a redirection attack, diverting users to scam sites.” (https://www.akamai.com/blog/security/2024-polyfill-supply-chain-attack-what-to-know)

There are many, many articles about this recent issue that can be found across the internet including the one above and this one: https://lab.wallarm.com/polyfill-io-supply-chain-attack-malicious-javascript-injection-puts-over-100k-websites-at-risk/

iMIS does not use this code so I suspected 3rd Party code. 

The issue is that some files, such as Polyfills.js,  are used by websites in such a way that the site pulls the file when needed from a Content Delivery Network (CDN). The advantage of this is that the CDN site will typically have the latest version of the code. The disadvantage is the same. If the application like iMIS that uses the CDN supplied code isn’t update for any potentially breaking changes, when the CDN is update, the downstream application will break.

ASI is working with its partners to confirm they are aware of this serious security concern. At least one partner affected by this issue has already addressed it. However, there may be other partner products and/or non-ASI related products affected by this potential issue.

  

iMIS 2017 has a custom version Polyfill.js called AA_Polyfills.js that contains only the 202 lines iMIS needs/uses. Otherwise, polyfill is only mentioned in comments in this file.

C:\Program Files (x86)\ASI\iMIS20.2.64.8405\net\AsiCommon\Scripts\AA_Polyfills.js

iMIS 20.3/100.3 has the above and a version called polyfills.js  that is delivered with iMIS, not by CDN and we get it from a safe source, Core.js. It is only used with the donationEntry iPart.

C:\Program Files (x86)\ASI\iMIS\Net\Areas\ng\src\app\iParts\donationEntry\polyfills.js

 

 

0 Comments

Article is closed for comments.
Powered by Zendesk