Emsisoft warned me and blocked this from gHacks yesterday. I have just checked and Emsisoft is still blocking it on gHacks site at the moment. https://www.theregister.com/2024/06/25/polyfillio_china_crisis/
Block in uBO with: Code: ||cdn.polyfill.io/v2/polyfill.min.js$script ? However, on gHacks (and probably other sites using Cloudflare) `cdn.polyfill.io` is CNAME'd to `polyfill.io.cdn.cloudflare.net`. See also: https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk
Cloudflare - 06/26/2024 Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet https://blog.cloudflare.com/automat...-with-cloudflares-mirror-for-a-safer-internet Long article. Read there more! Edit: forgot to give the link; now added.
https://www.bleepingcomputer.com/ne...otcss-staticfile-attack-traced-to-1-operator/ The polyfill.com domain has been suspended. ️ However, see: https://sansec.io/research/polyfill-supply-chain-attack
All of these domains are blocked by NextDNS. P.S. Some even indicators of compromise are blocked by my TLDs (I blocked all non-European characters + .ru + .cn) @nicolaasjan It would probably be better to warn MSFN members who use old browsers + Polyfill.
Yes, I've been thinking about that as well. However, Cloudflare already reroutes traffic now. What is also important to note, is that the malware targeted mobile devices.
All of these domains have been added to the "uBlock filters – Badware risks" filter list which is enabled by default. See commit.
Am I now wrong? I don't see this one mentioned anymore: Code: google-anaiytics[.]com It was mentioned in the BleepingComputer article here: https://www.bleepingcomputer.com/ne...-been-defamed-returns-after-domain-shut-down/ PS: I left the "brackets" there in the code (typosquatted domain name). Obviously you can remove the "brackets". Edit I see it here now: https://github.com/uBlockOrigin/uAssets/pull/24285/commits/f5daf14ab24cd1e6dc51ae3d176b3c04fe6d234b
It's great that uBO list maintainers added those filters. However, as mentioned in this article it's possible that those domains might also use other TLDs: That's why I think more comprehensive filters are advisable. And uBO offers them by using, e.g, this syntax: Code: ||bootcss.*^$all While that wiki entry refers only to static extended filters I found that they also work for above "simple" filters. For example, I block Facebook with this filter: Code: ||facebook.*^$all When opening facebook.com or facebook.net or facebook.org or whatever the site is strictly blocked by uBO due to the filter "||facebook.$document" as found in MyFilters. The entity expressed by the asterisk is one of those listed here. You might even add the important filter option which would ignore all exception filters: Code: ||bootcss.*^$all,important EDIT: so the complete set of modified filters would look like this: Code: ! https://github.com/uBlockOrigin/uAssets/pull/24285/commits/f5daf14ab24cd1e6dc51ae3d176b3c04fe6d234b ||polyfill.*^$all,important ||googie-anaiytics.*^$all,important ||bootcdn.*^$all,important ||bootcss.*^$all,important ||staticfile.*^$all,important ||staticfile.*^$all,important ||unionadjs.*^$all,important ||xhsbpza.*^$all,important ||union.macoms.*^$all,important ||newcrbpc.*^$all,important
@summerheat I don't understand two things from your post Code: ! https://github.com/uBlockOrigin/uAssets/pull/24285/commits/f5daf14ab24cd1e6dc51ae3d176b3c04fe6d234b ||polyfill.*^$all,important ||googie-anaiytics.*^$all,important ||bootcdn.*^$all,important ||bootcss.*^$all,important ||staticfile.*^$all,important ||staticfile.*^$all,important ||unionadjs.*^$all,important ||xhsbpza.*^$all,important ||union.macoms.*^$all,important ||newcrbpc.*^$all,important 1. This part: Code: ||googie-anaiytics.*^$all,important Original the BleepingComputer article https://www.bleepingcomputer.com/ne...-been-defamed-returns-after-domain-shut-down/ was saying Now it seems suddenly to be google and googie are different! (forget about those brackets) Is there somewhere a typo made, and where? And if so: was it corrected and where and when and by who? 2. You say: Code: ||staticfile.*^$all,important ||staticfile.*^$all,important Those two lines look to me similar. Am I right? I see at https://github.com/uBlockOrigin/uAssets/pull/24285/commits/f5daf14ab24cd1e6dc51ae3d176b3c04fe6d234b But nevertheless my question: why those two similar lines? TIA
Hi @FanJ Well, I took the entries from the commit for uBO filterlist. But it may be prudent to add the other entry as well. Actually, they are identical. I simply forgot to remove the second one after substituting the TLD with the astrisk. My bad! Thanks for that hint! EDIT. So the corrected list is: Code: ! https://github.com/uBlockOrigin/uAssets/pull/24285/commits/f5daf14ab24cd1e6dc51ae3d176b3c04fe6d234b ||polyfill.*^$all,important ||googie-anaiytics.*^$all,important ||google-anaiytics.*^$all,important ||bootcdn.*^$all,important ||bootcss.*^$all,important ||staticfile.*^$all,important ||unionadjs.*^$all,important ||xhsbpza.*^$all,important ||union.macoms.*^$all,important ||newcrbpc.*^$all,important
You're welcome! I'd like to add that using uBO in medium or hard mode is actuallly an even better protection as it also covers (potentially malicious) domains which haven't landed in the filterlists yet.
Censys - July 2, 2024 July 2: Polyfill.io Supply Chain Attack – Digging into the Web of Compromised Domains https://censys.com/july-2-polyfill-...-digging-into-the-web-of-compromised-domains/ Long article. Read there more.
