Mojo-DOM-Role-Analyzer polyfill.io compromise

briandfoy · Jun 26, 2024 · 5f6a039 · 5f6a039
1 parent 9e85f92
commit 5f6a039
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/cpansa/CPANSA-Mojo-DOM-Role-Analyzer.yml b/cpansa/CPANSA-Mojo-DOM-Role-Analyzer.yml
@@ -0,0 +1,24 @@
+---
+- affected_versions: <=0.015
+  cves:
+    - CVE-2024-38526
+  description: >
+    pdoc provides API Documentation for Python Projects. Documentation
+    generated with `pdoc --math` linked to JavaScript files from
+    polyfill.io. The polyfill.io CDN has been sold and now serves
+    malicious code. This issue has been fixed in pdoc 14.5.1.
+  distribution: Mojo-DOM-Role-Analyzer
+  embedded_vulnerability:
+    distributed_version: ~
+    name: polyfill.io
+  fixed_versions: ~
+  id: CPANSA-Mojo-DOM-Role-Analyzer-2024-38526
+  references:
+    - https://github.com/mitmproxy/pdoc/pull/703
+    - https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
+    - https://sansec.io/research/polyfill-supply-chain-attack
+    - https://github.com/briandfoy/cpan-security-advisory/issues/155
+    - https://github.com/sdondley/Mojo-DOM-Role-Analyzer/issues/10
+    - https://stackdiary.com/polyfill-compromise-hits-100000-sites-in-a-supply-chain-attack/
+  reported: 2024-06-26
+  severity: ~