It's over.https://sansec.io/research/polyfill-supply-chain-attack
Extremely based.Death to all embedded outside domain scripts.
>>101176346Hm, a great example of what happens when you sell to the Chinese.
>>101176346Good. The sooner all libraries die, the better. Internet is unusable today because all "front-end engineers" are drooling retards who can't even write document.getElementById and end up importing several megabytes of obscure code even for the simplest shit. Kill all libraries, kill all bloated javascript, make internet usable again.
I wonder how many services like this are already compromised, and just waiting to become active.
>100k+ sites embed itso like 0.001% of all the sites?
>using librariesgonna be a big ol' yikerino from me neighbor.
>>101176521>0.001% of all the sitesbut 99.999 of all the traffic
>>101176521retard
>>101176346>Loading executable code over the network that you have no control overAre web devs this fucking retarded?
>>101176346https://www.bleepingcomputer.com/news/security/cloudflare-we-never-authorized-polyfillio-to-use-our-name/>Further, to keep the internet safe, Cloudflare is automatically replacing polyfill.io links with a safe mirror on websites that use Cloudflare protection (including free plans).mitmflare
>>101176346>not using sub resource integrityyou get what you fucking deserve.
>>101176346>mfw EU was forcing every website to local store thirdparty libsEU boomers win again, jeets lose
>>101176546Webdevs aren't even taught how to build elements by hand nowadays, they think frameworks were always part of the language.
>>101176546>Are web devs this fucking retarded?As a web dev, I say yes.
>>101176579there's nothing wrong with lightweight frameworks
>>101176546there is literally nothing wrong with this if you assert the code matches a well known shasum.
>>101176554this. it's insane people think that is a good thing
>>101176599>lightweight>frameworksumm, sweaty...
>>101176554there's no chance cloudflare won't get compromised at one point, it's too big of a target
>>101176558Polyfill.js serves polyfills based on user agent, so the hash isn't known beforehand.
>>101176346>googie anailyticsmy fucking sides. also javascript was always insecure and always will be, this is another fearmongering nothingburger niggergoonhitlerposter making shill posts.
>>101176606>check hash>doesn't match>web site is now brokenNice going, smart guy.
>>101176628then it's shit.who uses that shit?
>>101176621larp
>>101176510seconding this
99.99% of people on this thread do not need polyfill. BLOCK IT using ublock or similar. Web devs and web standards are both retarded.
>>101176346> Chinese owner of the popular Polyfill JS projectjust quit fucking using chinksect libraries
>>101176628>supporting browsers older than nightly builds
>>101176554These sites are too powerful and use their powers too often for me to not see the extreme dangers when (not an if) they abuse their power. Since they have the capability, it will only be a matter of time when they use it against political foes, commercial rivals, etc
Local cdn or decentraleyes would not have helped in this scenario, Because they fetch a new copy of the library every time the server reports a hash change.
>>101176510>go to site>blank page unless you enable javascriptJS-wielding soidevs have ruined the web
>>101176788it's much worse. the domain & project was sold to chinks and the chinks started using it for malware. nobody had any idea about it.https://web.archive.org/web/20240229113710/https://github.com/polyfillpolyfill/polyfill-service/issues/2834
>>101176554Oh, yes, thank god this supply chain attack that had to be planned for months could be stopped because a nice corporation we know nothing about after one day popped into existence can just rewrite on a whim all our requests to protect us. How very kind of them, I'm so glad that it's the good guys the ones who have literally infinite power over internet haha.
>>101176346>go open-source go brokeevery time
>>101176579framework have nothing to do with this, you don't have to load them from remove sitesin fact they're already included into the site you serve, most of the time
>someone makes fun of a troon dying >google/cloudfare does a hostile takeover of their domain>literal malware affecting millions of people >"We can't do anything other than mitm the traffic"Fucking clown worldReminder that Cloudfare refused to drop terrorist websites that were hosting torture and execution videos but would drop people for being racist
>>101176554the mitm you know...
>>101176346>China compromised the WEFBASED BASED BASED BASED BASED BASED BASED BASED
>>101176904I hope jiatan makes a comeback and backdoors something like systemd or firejail
>>101176346>OH NOO, NOT THE WEBSITE OF THE WORLD ECONOMIC FORUMSeeth more, ZOG slaves.China won.
>>101176905They're rewriting the response to your request for a pageThat page contains a list of other pages your browser should requestYou're making different requests client sideNothing is intercepting your requests and modifying them between you and the server
>>>101176905>They're rewriting the response to your request for a page>That page contains a list of other pages your browser should request>You're making different requests client side>Nothing is intercepting your requests and modifying them between you and the server
>>101176951kek
>>101176980Are you retarded?
>>101176903>go to site>blank page unless I update my browser>try to update my browser (Ubuntu)>update fails and breaks my apt packages>browser can no longer be launched>switch to a different browserThis shit is why I try not to update. There's a non zero chance that it breaks everything and forces me to update my entire OS
>>101177059This literally doesn't happen
we've had tools for this for ages and I keep telling people to use it:You can load JS into browsers only if the file matches the hash you put in your website. Browser loads the third party js, sees that the hash matches the one you specify, off you go. When compromised, browser loads JS, sees that the hash doesn't match, and it breaks. Then some webdev disables the hashchecking to fix the website after some complaints and it doesn't matter so HEYHO
>>101176980the absolute state
>not blocking javascript
>>101176346Retard here. Why do people use polyfills if their epic JS bundles shit and die when they encounter any of the new syntax features like async/await, template string literals? AFAIK people don't use Babel to shittify their bundles for the 0.00001% of IE11 users.
>>101177059>UbuntuYour own fault
>>101176925>from removeremote*
>>101176966wtf I love china now. how can I hook up with this cute girl?
>>101176980so this is the power of /g/...
>>101176966>exposed shouldersfor what reason
>>101177295separating men and their semen
>>101176346>use third-party dependencies>get supply chain attackedEvery time.
>>101177059I'm on Ubuntu and use Brave from their own repository, never had a problemEmacs on the other hand...
>>101177075It literally did happen, to me. And when I tried to fix it I found several people online experiencing the same thing. Chrome needed a dependency which I couldn't install due to broken apt packages. Couldn't install that dependency or revert to the working version of Chrome. So I use Firefox now on that computer.
>>101176628>An integrity value may contain multiple hashes separated by whitespace. A resource will be loaded if it matches one of those hashes.solved problem
>>101176630>mfw half of the scams in the world would be nonstarters if sites used proper fonts
>>101177418emacs tried to install brave and had problems?
WEF.. China.. corporate culture..that's why im not a javascript fan. the language is great but many things are already settled and wont change. better cope with undevelopment
>>101177635>the language is great
>>101177499>>101177075Here's the proofs. I spent 3 hours trying to solve this and gave up. If it turns out there's an easy solution and I'm a retard then I will be grateful for to know what it is.And before you ask, I already tried the stuff on SO.Also, this isn't the first time this sort of thing has happened to me. It's kind of ironic because this sort of thing is why I want to avoid updating - but at the same time this problem is caused by lack of consistent updates (eventually the gap between releases is so big that you can't update and it breaks like this)
>>101177686>the absolute state of loonix cucksmaybe try to call your wife's bull and see if he can satisfy your dependencies for you
>>101177686>willingly using google's botnet browserFirefox does not have this problem.
>>101177686upgrade your ubuntu it is too old
>not hosting the script yourself to save a few pennies of server costsThey did this to themselves
>>101176346How does it inject malware on phones? The extent of what it can do is redirect people to fake websites, unless there is some serious browser vulnerability.
>>101176510Web pages shouldn't have scripts in the first place. HTML was designed for documents, not apps. All of the problems with the web come from people wanting to use a toy scripting language for documents as an application language. You would think it's retarded if people rewrote all their programs as Word documents with Visual Basic macros, but it's a huge fad to rewrite programs as HTML documents with JavaScript.
>>101177882if you can make a retarded boomer's phone open a link he didn't intend to, you're 90% done. just make a fake login page or make them download something, at least someone will fall for it. you don't actually need a 0day for that
>>101177912microsoft is rewriting parts of w11 in react (like the start menu) and more and more programs are moving to web-based ui (like the ubuntu installer)I hate this clown world
>>101176346web browsers should not run any executable code.
>>101176393Tsmt d e s u
>>101176346HOLY FUCK, JIA TAN JUST FLEW OVER MY HOUSE
>>101177653i mean dynamic part, around ES5 years. when those coffeescript livescript were born. then api and new styles became unbearable, it took jsx/typescript path
>>101177686Wants libnss3 not libnss3-dev
>>101176521>using a react site>using a node.js site>using polyfillyou can retroactive deez nuts
>>101177952the move is good. react isnt. windows 11 is not good because other, unrelated factors. its a asymmetric software warfare. new game is good, but have to put directx12 for it, which runs only on windows12 or something like that. they modify javascript to play those games
>>101176903Blank page? Then I just leave and never go back.
ALL WHITU DEVILS FEEL OUR WRATH
>>101177527>just include 653532 hashes per dependency bro
>>101176346>redirects mobile users to a sports betting sitewtf? i didnt want to gamble but this gambling site showed up on my phone so i might as well gamble
>>101176626cloudflare already was completely compromised in the past:https://en.wikipedia.org/wiki/Cloudbleed
lolfirst it was north korean hackers, then russian hackers, now everything's a chink
>>101177686You haven't gotten any helpful answers so far so I will give you one. Debian-based distributions commonly tend to enter this dependency hell state as a consequence of meddling with things you aren't supposed to. For example adding new repositories to /etc/apt/sources.list (or running commands that add new repositories). There is zero chance of ending up with an issue like this if you use the OS the way it's meant to be used, with Ubuntu you're sort of in a limbo state but with base Debian you aren't supposed to install a package if it's not in the stable repo, or if you do then you aren't supposed to use apt. The problems you mentioned like installing an update and uninstalling your entire system can only be caused by breaking your apt sources which requires immense user retardation.
>>101178350>meddling with things you aren't supposed to>aka installing software outside the (((curated repository)))Debian might be genuinely more cucked than iOs.
>>101178275Now it's Chinkbleed.
>>101178350>There is zero chance of ending up with an issue like this if you use the OS the way it's meant to be usedDebian regularly can't keep their browsers up to date because Debian's dependencies are ancient:https://www.theregister.com/2021/12/10/debian_firefox_issues/"""The problem is that Firefox 91, the current ESR version, includes several dependencies that the current stable version of Debian – 11.1 "Bullseye" – can't fulfil, which poses the maintainers a problem: either update some components of the graphics stack, just for Firefox, or force the Debian version of Firefox to use older dependencies, which is doable but doesn't fix the problem, so it will happen again when the next ESR appears.Debian releases get updates for five years, but Mozilla puts out a new Firefox ESR annually, so this will be a nuisance for years to come."""
>>101176346Based. Kill interpreted bloated meme langs. Now we have WebAssembly. Move to Go, Rust and C++
if you are using more than like 2 js dependancies you deserve it
>>101176346If you use 3rd party hosts for your js libraries then you deserve to be compromised. How much effort is it to fucking copy bloat.min.js to your own fucking server?
>>101178535womm
>>101178619WebAssembly is even worse than JavaScript. It's binary blobs on the web. It doesn't even have heap allocation and forces you to put everything in the blob.
>>101178524>might beApple invented rocks and you live under one.
>>1011786272 js dependencies pull in 20 dependencies, which pulls in 200 dependencies, which pulls in 2000 dependencies.
>>101178653>It doesn't even have heap allocation and forces you to put everything in the blob.that's not an accurate representation
>>101178653>forces you to put everything in the blobwrong:https://developer.chrome.com/blog/wasmgc/
>>101176346it is not exactly malware, it is so China can communicate to spies in various other nations, it only works when a spy logs on a certain website then it kicks on and the communication line opens
>>101176510Extremely based and correct. The pathetic level of web devs I encounter is mind-boggling to me. Here's a recent story from work.>be sysadmin>web devs come to me with what they want to do>combine 6-7 repos into one statically generated site using docosaurus>they ask me for github api token in CI to do it>"why would you need a token?">"to fetch the other repos">"eeeeeee.... are they private?">"no">see what they have constructed>find a monstrocity of 800+ JS lines that fetch EVERY SINGLE FILE from the 7 repos INDIVIDUALLY via github api>"but why? why would you do any of that?">"how else?">"submodules? fetch a zip? clone it? wtf?"I have no words for these amazing "full stack" devs.
>>101176606So a malicious site can't hurt me if the shasum matches? Also, 4chan can be made without javascript. I long for the day it changes. I can then block all JS
>>101178762Forgot to add they added like 30 node js modules for github api handling and file handling to do that.I literally can't even with these people.
this is literally a solved problem with the integrity attribute or self-hosting the JS you use.
>>101176965SystemD is backdoored most likely. 99% sure. Microsoft funds it. Just because a backdoor hasn't been found doesn't mean it doesn't exist. Moreover there have been severe "bugs and exploits" that could very well have been intended but unless that's proven it won't be called backdoor or anything but bug and exploit.
>>101178810google adsense doesn't allow self-hosting nor gives you integrity hashes.how would anyone pay for hosting in your world?
>>101178644>>101178659>barely intelligible seethingNow try formulating an argument instead of being outraged at people not worshipping your distro of choice.
>>101176346Javascript is the new flash
test
>>101176346>support older browsersnot my problem, at work I configured TypeScript to emit ESNext and Vite to emit ES2022. No point in supporting old browsers when they've auto-updated for years>b-but I use Firefox 3.5 with updoots offI dont care, you're as rare as a tranny thus dont deserve my attention.
>>101176903React 19 fixed this. You can now compile React components to fully static, JS-free, HTML.
>>101176934Racism is bad in a special way that terrorism isn't.
>>101176346nooooooo muuuuuh secuuuuuurityyyyy!!!!!!!!!!!!!!!aaaaaaa muuuuuh secuuuuuurityyyyy!!!!!!
>>101178762Wait, they're downloading hardcoded URLs for hundred of files instead of using git as well as adding node_modules to a repo?
>>101176346>http://polyfill.io/Blocked by Ublock Origin. I wonder if DecentralEyes would have prevented this. >>101176934Cloudflare was started with a DHS grant. DHS was stood up after the 9/11 false flag to spy on and harass the enemies of israel by mossad spy Michael Chertoff. Cloudflare's original marketing strategy was to sign up all of the cybercriminals in the world. In case you haven't figured this out, "terrorism" is used to control the White European populations of the Anglosphere, the US, and Europe with fear broadcasted through the jewish media. This is why the re-branded DARPA LifeLog project known as Facebook automatically promoted ISIS while in parallel targeting White people. The pseudo-governmental jew managed tech sector helped the US "intelligence" community recruit young dumb people to attack all of the enemies of israel in the middle east under the banner of ISIS. The US armed and backed ISIS against Assad on behalf of israel, which controls the US congress with bribes and/or slander. Keeping "terrorism" sites online benefits the regime. "Terrorism" is the threat that if we don't support eternal wars overseas that are bankrupting us at home and flooding our country with hostile aliens, the "terrorism" will have to be conducted domestically against us. This threat keeps White Europeans in check. It also creates the illusion that we have common cause with israel, who controls our media, tech sector, and the federal government.Domestic Whites who have figured out all of the lies of the regime are the highest priority target of the regime because they are teaching other people the truth, which can't be un-learned. The people who don't know how the system works are unwittingly the pawns of the system and are therefore a non-priority for the plutocracy that rules the US. That's how it works.
>>101177686>knowingly installing jewgle chromeuse chromium or iridium or brave
>>101178124I literally can't access my bank account if I disable js. What a time to be alive.
>>101179803Yes to the first, part. Fortunetely they are not stupid enough to commit node_modules. Though i have seen that many times before in my career too.Every time the web dev team contacts my I roll my eyes thinking "oh boy, here we go again".
>>101179915Just go withdraw cash once a month. I can even pay my property taxes with cash.
>>101179938I'm still facepalming: do they think that github IS git?
>>101180036I think their reasoning was kinda like this:>we want to build this with docosaurus>to do that we have to write a docosaurus plugin>the plugin has to be written in js>we can't use git in js (I'm guessing they thought that)>we need to fetch files via api insteadI'm not 100% sure that's correct, there might be several wrong assumptions in their reasoning. But honestly I have my hands full of other garbage that's more important than to argue with them for days to turn that into a 20 max line bash script that would do the same thing.Their reasoning was also that "they don't want all the files". But then just make a whitelist/blacklist and remove after unpacking a ZIP or something. Why download everything via API.
>>101176510but importing dozens of scripts from all over the internet via scripts to generate html is the right way to do things
>>101176628>fagman forcing people to updoot larping about muh security againfirst wifi, now this, all just to make people udpooot to the latest flatshit garbage.No, i wont use windows 11, I wont update chrome nor use linux, fuck off pajeets
>>101177686skill issue. my hint to you: dev build <> public build
>>101177912So you mean you don't want buttons to do useful things on the page and such? They would have to direct you to another page
>>101176393Fpbp
>>101176346>javascript compromisedalways was
>>101178916>new
>>101176393This, oh god, so much this.Now I have a good argument to fuck anyone who defends this.
>>101176965Why firejail?>>101178888>Microsoft funds itSource?
>>101182541>sourcemicroshit employs lennart, and what do you think they pay him to do?>>101181616>>101176393script tags that just have a src attribute were the real mistake. Force webshitters to embed their diarrhea directly in the HTML and we can get back to something resembling sanity
>>101176346Gotta catchem all. Disgusted but not revolting. Entrance approved work ways. Non social but highly conversable deeds.
>>101177366Meep moop
-ACK
>buy some shit middleware>ransomware all its users>??????>profit!huh hacking is easy
>>101176346>to support older browsersThis is why companies force updates on the end-userOld software is inherently compromised
>>101176554>injects arbitrary js code to any website served if it contains a forbidden secuence of bytesWow, thanks cloudflare!I love when big corporations keep me safe and secure
>>101176554Cloudflare is literally a trojan horse.
>>101182931Not really. It's a MITM.
>>101177282that's a man with a filter, guaranteed>>101177295exposed shoulders are the chinese state approved version of cleavage
