PolyFill CDN Supply Chain Attack CVE-2024-38526



A compromise to the CDN used by cdn.polyfill.io, and other locations hosting polyfill.js, Javascript used to support older browsers, caused users to go to a malicious link. This URL is present in some Quarto documents. 


When Quarto, a markdown application developed as an open-source product by Posit, generates HTML documents (webpages, reveal.js presentations and dashboards) with the standard template and with mathjax(which is the default) the compromised link is included in the HTML document. 

Affected Quarto versions <1.4.557 and RC versions <1.5.24


Posit IDE and Workbench are packaged with Quarto. Quarto versions before 1.4.557 and release candidates prior to 1.5.24 can produce a URL reference related to this vulnerability.

However, the registrar has removed the malicious URLs and a secure version of polyfill.js is being hosted by Cloudflare. We currently consider this a Medium severity vulnerability and a patched Quarto version will be included in future versions of Posit IDE and Workbench.

 Posit recommends that customers take the following actions:

  • Upgrade to the latest Quarto version, which works with Posit IDE and Workbench. This will update the URL point to Cloudflare Quarto HTML templates. You can download the latest version of Quarto here.
  • Customers may also wish to update content published to Connect with versions of Quarto before 1.4.557. To identify such content, you can use the Python scripts attached to this article.
  • Monitor applications for unauthorized or unusual activity.

Posit products are tested on all new versions of Quarto. Please subscribe to product announcements for more on Posit releases.