The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository.
This is why ublock origin is an essential security tool.
originalucifer@moist.catsweat.com 4 months ago
nah. over 100k sites ignored dependency risks, even after the original owners warned them this exact thing would happen.
the real story is 100k sites not being run appropriately.
vzq@lemmy.blahaj.zone 4 months ago
The hackers just engaged in a little bit of technical debt collecting ;)
Feathercrown@lemmy.world 4 months ago
I’m stealing this phrase
douglasg14b@lemmy.world 4 months ago
That’s not how systemic problems work.
This is probably one of the most security ignorant takes on here.
People will ALWAYS fuck up. The world we craft for ourselves must take the “human factor” into account.
And the majority of industries that actually have immediate and potentially fatal consequences do exactly this, and have been for more than a generation now.
oce@jlai.lu 4 months ago
Ok, people will always fuck up, so what do you do?
All the organizations (including public) getting ransomware and data stolen, it’s because the consequences are not that bad? It is not gross negligence?
rottingleaf@lemmy.zip 4 months ago
So what does it say about us diverting from purely server-side scripted message boards with pure HTML and tables, and not a line of JS? Yes, let’s get back there please. And no phone numbers.
Boeing - we know where you’re goeing.
There’s one industry which kinda started like this, with proper HIG and standard key combinations and proven usability with screenreaders or by people with color blindness, autism, ADHD, whatever.
Then came in people talking with the tone similar to, sorry, yours in the “People will ALWAYS fuck up” part came saying that people want nice, dynamic, usable websites with lots of cool new features, people are social, they want girls with real photos, names and phone numbers on their forums which BTW should be called social nets.
By the way, we already had that with Flash and Java applets, some things of what I remember were still cooler than modern websites of the “web application” paradigm are now. And we had personal webpages with real names and contacts and photos. And there were tools allowing to make them easily.
These people just hated the existing culture with its individualism and depth, the web applications should be able to own you and not be just another kind of embedded content, the personal webpages should be all the same, and of course normies wouldn’t want to come as guests into the nerdspace - no, they had those new social nets as their space, looking down on those nerds and freaks of my kind.
Now - well, try using today’s web as a person impaired in any way.
And those normies can’t really use it too, and too feel impaired, they just won’t admit it.
ShaunaTheDead@fedia.io 4 months ago
One place I worked at recently was still using Node version 8. Running
npm install
would give me a mini heart attack... Like 400+ critical vulnerabilities, it was several thousand vulnerabilities all around.corsicanguppy@lemmy.ca 4 months ago
It should; but more because it installs things right off the net with no validation. Consistency of code product is not the only thing you’re tossing.
Potatos_are_not_friends@lemmy.world 4 months ago
After the first 100, the other 300 kinda don’t matter.
joyjoy@lemm.ee 4 months ago
If you’re on RHEL 8+, you can install the latest version of node with dnf.
dnf install nodejs
will likely install node 8 :(. Usednf module install nodejs:20
to install the latest version.homesweethomeMrL@lemmy.world 4 months ago
Same as it ever was. Same as it ever was. Same as it ever was.
kautau@lemmy.world 4 months ago
Yeah this is just capitalistic business in general. Don’t do anything proactive if it might reduce the bottom line in the short term. Blame others and beg for help when you weren’t proactive. Succeed singularly, fail collectively
thesystemisdown@lemmy.world 4 months ago
This isn’t holding up, time isn’t after us.
best_username_ever@sh.itjust.works 4 months ago
JS: typing is boring, warnings are boring, security is boring.
Cosmicomical@lemmy.world 4 months ago
Sure, the package managers of other languages are super safe
ID411@lemmy.dbzer0.com 4 months ago
But now where am I going to get my “china maleware” headline !?!
Warl0k3@lemmy.world 4 months ago
I don’t think we have to choose. “Maintain your websites so you don’t get taken advantage of”, and “Here’s an example of a major-world-power-affiliated group exploting that thing you didn’t do” are both pretty important stories.
breakingcups@lemmy.world 4 months ago
I mean, both are true? It’s not a manipulative headline in my opinion.
themurphy@lemmy.ml 4 months ago
The malware thing still deserves a headline. They just argue it’s stupid so many even have to use the library to begin with.
catloaf@lemm.ee 4 months ago
Probably at your local asian gay bar.