Is dash 2.16.0 vulnerable to the polyfill.io supply chain attack?

Dash Python
1

Hi,

In dash 2.16.0 there are references to polyfill@7.12.1.min.js. Is dash version 2.16.0 vulnerable to the polyfile-io supply chain attack.

If 2.16.0 is vulnerable, has a later version been patched or how might this issue be mitigated.

2

Hello @waterfall,

Welcome to the community!

Thanks for bringing this up. I’m not quite sure that these are the same thing.

Babel polyfill, which is what is referenced seems to be something different from this vulnerability. Pollyfill.io looks like it’s something that manages polyfills for people, which Babel polyfill would be one of the things that could be managed. Though dash itself doesn’t look to use this.

But better to be safe than sorry, for sure. I bumped the issue on the GitHub for this as well to get looked at.

1 Like
3

Here is an article further explaining the risk and effects of this:

@adamschroeder

List of Impacted Libraries and Domains

Impacted libraries and domains beyond cdn.polyfill.io, include:

  • bootcdn.net
  • bootcss.com
  • staticfile.net
  • staticfile.org
  • unionadjs.com
  • xhsbpza.com
  • union.macoms.la
  • newcrbpc.com

Additionally, indicators of compromise (IoCs) for checking in logs include:

  • https://www.googie-anaiytics.com/html/checkcachehw.js
  • https://www.googie-anaiytics.com/ga.js
  • https://cdn.bootcss.com/highlight.js/9.7.0/highlight.min.js
  • https://newcrbpc.com/redirect?from=bscbc
  • https://kuurza.com/redirect?from=bitget
  • https://union.macoms.la/jquery.min-4.0.2.js
1 Like
4

Thanks @jinnyzor .
I also updated the Plotly team about this earlier this week. We’re investigating.

1 Like
5

Thanks for bumping the issue.

1 Like
6

Looks like this is good:

T4rk1n: I’ve removed the url from the test, it was the only reference in our code.
Also scanned deployed app with polykill.io and all clear.

The only concern would be if you are a developer working on the dash library and are running all the tests, however, if you sync your fork/branch with the dev branch, you will have this script removed. :slight_smile:

8

In a recent post here, @KoalifiedEnough posted an image of some console errors that suggests (I think - I don’t really understand it :slight_smile: ) that either dmc or dash-ag-grid maybe is using polyfill, or maybe it’s just under the hood in React. Is this of any concern?

9

Hello @davidharris,

Just because something has pollyfill in the name doesn’t mean that it’s associated.

Pollyfill is a process to help things with supporting older browsers. This is ok. Which I think is what those errors are from. And even those errors above weren’t really an error but the dev not having a license for the enterprise version.

The vulnerability comes from pollyfill as the host site. Think of it as a cdn alternative… basically if your app is looking at that domain for its documents then you could encounter issues…

2 Likes