The cdn.polyfill.io Vulnerability: What You Need to Know
- The Pixel Manager contained the cdn.polyfill.io vulnerability
- It was fixed in version
1.43.4, the same day it was discovered - cdn.polyfill.io support was experimental and not enabled by default
What happened?
On June 26, 2024, we were made aware of a vulnerability in the Pixel Manager on our Discord channel by the user @bmtalks.
We read and analyzed Sansec's article about the the cdn.polyfill.io supply chain attack: https://sansec.io/research/polyfill-supply-chain-attack. Based on that information we agreed that this is serious and we need to act fast.
We then analyzed if the Pixel Manager was affected by this vulnerability and how big the impact was.
The Pixel Manager indeed contained experimental support for cdn.polyfill.io that was not enabled by default. We still decided to fix this vulnerability as soon as possible.
Just a few hours later, on the same day, we released version 1.43.4 of the Pixel Manager with the vulnerability fixed.
Since we fixed this, various vulnerability tracking platforms have picked it up and started reporting the vulnerability for installations of the Pixel Manager below version 1.43.4.
- Patchstack: WordPress Pixel Manager for WooCommerce Plugin
<=1.43.3 is vulnerable to Backdoor - Wordfence: Various Plugins
<=Various Version - Use of Polyfill.io
What is cdn.polyfill.io?
cdn.polyfill.io was a service that provided polyfills for web technologies. Polyfills allow you to use modern JavaScript features on older browsers that do not support them.
To increase tracking accuracy for the Pixel Manager we wanted to make sure that the Pixel Manager JavaScript codes runs on as many browsers as possible. That's why we added experimental support for cdn.polyfill.io.
Not long after we added experimental support for cdn.polyfill.io, we found better ways to increase browser support coverage in the Pixel Manager and never enabled cdn.polyfill.io by default.
But, we also never removed the experimental support for cdn.polyfill.io from the Pixel Manager, which we could have done earlier for sure.
Who is affected?
Support for cdn.polyfill.io was always experimental and not enabled by default. We never documented how to enable it and we never recommended to enable it (apart of one user with which we tested it).
It is unlikely that many users enabled cdn.polyfill.io support in the Pixel Manager. If any at all it was probably only a handful of users.
Everyone else is and never has been affected by this vulnerability.
How to update the Pixel Manager
If you are using the Pixel Manager version 1.43.3 or below, please update to version 1.43.4 or above to fix this vulnerability.
Simply follow the standard update procedure for WordPress plugins.
Pro users of the Pixel Manager need to have an active subscription to receive updates. If you have an active subscription, you can update the Pixel Manager in the WordPress admin area.
Users of the free version of the Pixel Manager can update the plugin in the WordPress admin area as well.
