A major supply chain attack has compromised websites using Polyfill (Polyfill.io), a JavaScript CDN service, used by over 100,000 websites to deliver JavaScript code. Security researchers warn that the cdnpolyfillio domain has been compromised to serve malicious code in scripts. It must be noted that the domain was acquired by a Chinese company, Funnull, in February 2024.
Polyfill.io is an open-source library containing snippets of code that ensure older browsers can understand features only available in newer versions. This allows developers to use modern web standards and APIs without compatibility issues, and write code while ensuring it works in older environments.
In its report, published on 25 June 2024, Sansec wrote that the new owners allegedly injected malicious code into the Polyfill.io library. Websites that continued using the compromised cdn.polyfill.io resource unknowingly exposed their visitors to potential threats.
“In February this year, a Chinese company bought the domain and the GitHub account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io,” Sansec’s research revealed.
San Francisco-based security monitoring firm c/side founder Simon Wijckmans also raised alarm in their advisory, urging website owners to remove the polyfillio domain from their applications. Wijckmans noted that the attackers are hiding the domain, similar to JavaScript threats, making it a tempting path for malicious actors.
Further probing revealed that the malicious code generates payloads based on HTTP headers, evading detection and avoiding admin users. The code is injected into devices via websites using cdnpolyfillio. Users may receive tampered JavaScript files, including fake Google Analytics links, redirecting them to sports betting and pornographic websites. The malicious code, being JavaScript, could introduce new attacks like formjacking, clickjacking, and broader data theft.
Polyfill users were warned about potential malicious activity in February by developer Andrew Betts. In his post on X, Betts advised users to stop using the polyfillio domain after the sale and remove references to the CDN.
If your website uses https://t.co/3xHecLPXkB, remove it IMMEDIATELY.
I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI
— Andrew Betts (@triblondon) February 25, 2024
Google has blocked ads for e-commerce sites using the Polyfill.io service and proactively shared information on how to mitigate the issue to help affected advertisers secure their websites. Web infrastructure providers Cloudflare and Fastly have offered alternative endpoints to help users move away from polyfillio.
The Polyfill.io incident highlights the importance of supply chain security, continuous monitoring, and open-source collaboration in web development. Developers should be cautious when integrating external resources and prioritize security practices. Regular security audits and code reviews are crucial for identifying vulnerabilities and preventing exploitation.
RELATED TOPICS
- Code for Satori malware posted on Pastebin
- QR Codes Exploited with QRLJacking for Malware Distribution
- Gamers targeted in new malware attack with games cheat codes