Polyfill as an example of Supply Chain attack

[LLoyderino]

Hi there,

I was thinking, for the next edition of the OWASP (2025?) a good example of Supply Chain attack could be the polyfill.io incident.

It's a good example of why not to trust 3rd party CDNs, especially considering how widespread it got, affecting over 100k websites across the world.
And it was the result of a popular domain expiring and being acquired by a malicious party.

A good place to place this would be in the "Software and Data Integrity Failures" chapter, probably together with (or in lieu of) the SolarWinds Orion attack:

Top10/2021/docs/en/A08_2021-Software_and_Data_Integrity_Failures.md

Lines 70 to 71 in 90859c5

	around 100 or so were affected. This is one of the most far-reaching and
	most significant breaches of this nature in history.

[pfortuna]

I agree. There's a number of ways to verify the integrity of 3rd party scripts. PCI DSS 4 has incorporated this in requirements 6.4.3 and 11.6.1. From using signatures with SRI to behavior-based monitoring to evaluate changes introduced by new versions of scripts.

[prasunsrivastav123-lang]

Hi! This is a great suggestion. I’d be happy to work on adding the polyfill.io incident as a supply chain attack example under A08 (Software and Data Integrity Failures), if this issue is still open and unassigned.