Photonic’s Polyfill.js detected as malware

  • Resolved ltparis2002

    (@ltparis2002)


    6 months ago

    Today, I’ve got an email from ImunifyAV antivirus scanner installed on my server (as a Plesk plugin). It reported that my website is compromised with malware. It reports that it detected this in the following file: /blog/wp-content/plugins/photonic/include/js/front-end/src/Polyfill.js

    The reported signature identifier is SMW-INJ-27295-js.spam-5. It is reported as client malware.

    Because of the name of the file I assume a connection to the security vulnerability involving the?polyfill.io?CDN reported a few months ago. I think, you will understand that I’m now really concerned about the further usage of the Photonic plugin.

    I am currently using Photonic Plugin version 3.10.

    Do you know this issue already and can possibly give some advice how to proceed? Currently, my only option would be to uninstall and replace the Photonic plugin which would cause a lot of effort. I would regret no longer being able to use the plugin that has served me well so far.

    Thank you in advance.

    • This topic was modified 6 months ago by ltparis2002. Reason: Added used plugin version
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Sayontan Sinha

    (@sayontan)

    From what I can see based on a Google search of “SMW-INJ-27295-js.spam-5”, a number of people have posted in the last couple of days from various platforms that ImunifyAV has reported this. As far as I am aware, there is no issue in the script distributed with Photonic. You can verify the original source code of the file too from here. You might want to compare your local file with this one.

    Here’s what I would suggest:

    1. First do the file comparison between the files line-by-line as per my suggestion. If the files are same, then let me know, and I will have to investigate. WP plugins go through a level of security scans, but it is possible that their scans don’t catch all issues.
    2. If the files are different, it means that something has modified your file. This could well be due to a vulnerability in a different plugin. Generally, a compromised plugin will add malware in quite a few other places to misdirect.
    3. It is also possible that the bug is in ImunifyAV, and that they are performing mistaken identifications. I say this based on the multiple reports from other platforms (including Joomla) reporting this.

    Regarding the issue about polyfill.io, you can also see here, where I responded to a question from someone about 3 months back. Polyfill’s CDN was compromised, but Photonic never referenced that script from the CDN, rather it had a much smaller list of polyfills, mostly from a number of places (primarily Mozilla’s MDN).

    Plugin Author Sayontan Sinha

    (@sayontan)

    Just as a precaution, I have removed the file – it was anyway needed for IE versions 11 and lower, which are all deprecated. If you fetch version 3.11, you shouldn’t see any issue.

    However, I would suggest some scrutiny of the ImunifyAV plugin and its output. Points #2 and #3 from my previous post will still apply, specifically since there was no bad code in the Polyfill file. So, you either have another vulnerable plugin, or there is a bug in the ImunifyAV plugin.

    Thread Starter ltparis2002

    (@ltparis2002)

    Thank you for the very quick reply and the hints. I did as you suggested and compared the file with the one you provided in the link – they were exactly the same. So, luckily the file on my machine was unchanged. Therefore, I guess, ImunifyAV gave me a false alarm.

    Anyway, I will install version 3.11 now – so the alarm should disappear because the polyfill.js file is not available anymore then.

    Thank you again for your help! Very good job! I really appreciate it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.