Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Possible supply-chain "attack" (or demonstration, from what I can tell) on wherever they get their polyfill library? It's coming from:

https://polyfill.archive.org/v3/polyfill.min.js?features=fet...



Possibly unrelated. How can they elevate from a script injected in the frontend to the database of all users?

Also, the vulnerability seems to be a domain overtake. But Archive is self hosting a static version of the dependency?


One way would might be to capture credentials for admin accounts if they have a "god mode".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: