Pharos Response to Polyfill.io Malicious Code (CVE-2024-38526)

Pharos Impact: None

Pharos has reviewed all our software, 3rd party tools/libraries, internal infrastructure and cloud infrastructure and can confirm that we do not use the polyfill.io JavaScript library anywhere.

Background

Recently, a security exploit was discovered inside a popular open-source library that helps older browsers support newer functionality (CVE-2024-38526).

Polyfill.io Supply Chain Attack | Qualys Security Blog

Many organizations, including Pharos customers, are urgently investigating where this tool is used and how to update/repair those instances.