pdoc embeds link to malicious CDN if math mode is enabled

@adhintz

Impact

Documentation generated with pdoc --math linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.

Users who produce documentation with math mode should update immediately. All other users are unaffected.

Patches

This issue has been fixed in pdoc 14.5.1.

References

#703
https://sansec.io/research/polyfill-supply-chain-attack

Timeline

[2024-06-25] https://sansec.io/research/polyfill-supply-chain-attack is published.
[2024-06-25 20:54 UTC] Issue reported to the pdoc project by @adhintz.
[2024-06-25 21:33 UTC] Patched version released.
[2024-06-25 21:37 UTC] Security advisory published.
[2024-06-25 23:49 UTC] CVE-2024-38526 assigned by GitHub.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pdoc embeds link to malicious CDN if math mode is enabled

Package

Affected versions

Patched versions

Description

Impact

Patches

References

Timeline

Severity

CVE ID

Weaknesses

Credits