polyfill.io / bootcdn.net / bootcss.com / ... usages tracking

[LeSuisse]

Description

On June 25 an ongoing supply chain attack via resources served by cdn.polyfill.io was exposed: https://sansec.io/research/polyfill-supply-chain-attack

Yesterday more domains used by the same actor have been identified.
Currently (2024-06-29), Namecheap has put on hold the polyfill.io domain but the other domains are still active.

Some usages of resources served by these domains have been spotted early by the nixpkgs community by looking at the content of their /nix/store:

• pandoc ([3.1.1; 3.1.12.3[) pandoc: apply patch removing the usage of polyfill.io in the templates #322743
• doxygen ([1.9.2; 1.10.0[, NixOS 23.11 only) [23.11] doxygen: apply patch removing the usage of polyfill.io #323233

In order to have a better cartography I checked the free/non broken/non insecure x86_64 packages we have in the cache for NixOS unstable b2852eb (thanks to delroth grep-nixos-cache tool 💚 ). I looked for the same domains currently blocked by uBlock Origin.

Raw results here: https://gist.github.com/LeSuisse/05b5e3f3bf72d43f4e433778dfab486b

Triage

I'm creating this issue to keep a public trace of the triaging work and remediation for impacted nixpkgs packages.

Impacted

• emacsPackages.org-xlatex: used in a template
  • Upstream: [Security] Stop using JS polyfill ksqsf/org-xlatex#3
  • unstable: emacs.pkgs.org-xlatex: 20230820 -> 20240707 #325686
  • 24.05: [Backport release-24.05] emacs.pkgs.org-xlatex: 20230820 -> 20240707 #325712
• leo-editor, plugin viewrendered3: used in templates [0] [1]
  • Upstream: Do not use polyfill scripts from polyfill.io leo-editor/leo-editor#3987
  • Unstable: leo-editor: 6.7.8 -> 6.8.1 #332425
• python3Packages.astropy: usage of polyfill.io is recommended to the users, fixed upstream SEC: replace polyfill.io with Cloudflare equivalent astropy/astropy#16629
  • unstable: python3Packages.astropy: apply patch removing the usage of polyfill.io #323658
  • 24.05: [24.05] python3Packages.astropy: apply patch removing the usage of polyfill.io #324392
• python3Packages.django-mdeditor: possibly impacted, the non minified JS file of the editor loads KaTeX from a domain controlled by the bad actor
  • Upstream: fix(KaTeX): Use jsdelivr instead of bootcdn pylixm/django-mdeditor#184
  • unstable: python3Packages.django-mdeditor: patch out polyfill.io usage, bump KaTeX #347565
  • 24.05: [Backport release-24.05] python3Packages.django-mdeditor: patch out polyfill.io usage, bump KaTeX #348478
• python3Packages.nikola: fixed upstream in 8.3.1
  • unstable: python3Packages.nikola: 8.3.0 -> 8.3.1 #323572
  • 24.05: [Backport release-24.05] python3Packages.nikola: 8.3.0 -> 8.3.1 #325098
• python3Packages.pdoc: fixed upstream in 14.5.1
  • unstable: python3Packages.pdoc: 14.5.0 -> 14.5.1 #323578
  • 24.05: [Backport release-24.05] python3Packages.pdoc: 14.5.0 -> 14.5.1 #323615
• yt-dlp: douyutv module is impacted if the download from CloudFlare CDN fails
  • Upstream: [ie/douyutv] Do not rely on a CDN under the control of a bad actor yt-dlp/yt-dlp#10347
  • unstable: yt-dlp: 2024.7.2 -> 2024.7.7 #325367
  • 24.05: [Backport release-24.05] yt-dlp: 2024.7.2 -> 2024.7.7 #325472
• quarto: fixed upstream in 1.5.24 / 1.4.557
  • unstable: quarto: 1.4.555 -> 1.4.557 #323132
  • 24.05: [24.05] quarto: apply patch removing the usage of polyfill.io in the templates #323571
• rstudio: seems to embed a copy of quarto
  • Fixed in nixpkgs since we fixed quarto, nixpkgs rstudio use the "system quarto" thanks to a custom patch
• rubyPackages.jekyll-spaceship: used in the MathJax processor
  • Upstream: fix: Do not use polyfill scripts from polyfill.io jeffreytse/jekyll-spaceship#98
• t-rex: seems to load a resource from cdn.polyfill.io via a minified JS file

Not Impacted

• adguardhome: filter lists
• affine: only used as a string in a warning message of a JS dep
• alice-ng: only used as a string in a warning message of a JS dep
• clash-verge-rev: usage of V2Ray geosites.dat
• clash-verge: usage of V2Ray geosites.dat
• coursera-dl: Not directly impacted but upstream README should not advise to use cdn.bootcss.com
• deepin.deepin-voice-note:usages of cdn.bootcdn.net are commented
• dismap: static detection lists [0] [1]
• documenso: ESLint rule to not use polyfill.io
• eclipses.eclipse-jee: used in the README of a JS dep
• eclipse-committers: used in the README of a JS dep
• firebase-tools: used in the the README of a JS dep
• geph.cli: probably not impacted, seems to be a static list
• gowitness: static list from wappalizer
• grafana: hit from a JS map file
• gramma: used in the the README of a JS dep
• grafana-image-renderer: used in the the README of a JS dep
• heroic-unwrapped: used as a string in a warning message of a JS dep
• hedgedoc: used in the sample file of JS dep
• hsd: used in a static list
• httpx: static list from wapalizer
• jellyseerr: mention of polyfill.io in some polyfill scripts but it's only comments and nothing is loaded remotely
• katana: static list from wappalizer
• ledfx: hit from a JS map file
• libhttpseverywhere: static ruleset
• limesurvey: static use in the translation file of a dep
• mediawiki: used in the README of a JS dep
• minio: only used as a string in a warning message of a JS dep
• minio_legacy_fs: only used as a string in a warning message of a JS dep
• python311Packages.mlflow: hit from a JS map file
• meshcentral: used in the the README of a JS dep
• mopidy-iris: only used as a string in a warning message of a JS dep
• music-player: only used as a string in a warning message of a JS dep
• nekoray: usage of V2Ray geosites.dat
• netdata: hit from a JS map file
• nginx-doc: mentioned in the njs node_modules doc
• nextcloud28: used on the documentation website of a PHP dep
• nextcloud29: used on the documentation website of a PHP dep
• ntfy-sh: only used as a string in a warning message of a JS dep
• nuclei: static list from wapalizer
• ooniprobe-cli: used in a static list
• openobserve: used as a string in a warning message of a JS dep
• oxlint: lint rule to not use polyfill.io
• outline: mentioned in the docs of JS deps (autotrack, focus-visible, isomorphic-fetch)
• pencil: only used in commented code
• peertube: only used in the docs and README of JS deps (focus-visible, isomorphic-fetch, node-media-server, superagent)
• promptfoo: mentioned in the changelog of a JS dep
• python3Packages.bilibili-api-python: used in a webpage that does not seem to be directly used by the Python package
• python3Packages.sphinx-rtd-theme: comment string in a PO file
• python3Packages.ray: hit from a JS map file
• quickwit: only used as a string in a warning message of a JS dep
• react-static: used in the README of a JS dep
• rocketchat-desktop: only used as a string in a warning message of a JS dep
• serverless: used in the the README of a JS dep
• sing-geosite: static DB file
• sitespeed-io: used in the the README of a JS dep and various static lists
• spacevim: not directly impacted it was removed from their doc website
• seclists: static lists
• stevenblack-blocklist: static lists
• torq: hit from a JS map file
• trilium-desktop: mentioned in the README of a JS dep
• trilium-server: mentioned in the README of a JS dep
• v2ray-domain-list-community: static list
• vieb: static list from uBlock
• wad: copy of the wappalyzer list
• whitebophir: usage of polyfills mentioning polyfill.io in comment strings
• zammad: used in test data
• zrok: only used as a string in a warning message of a JS dep