Security Alert: Polyfill.io Supply Chain Attack
June 28, 2024
3 min read
June 28, 2024
3 min read
By Louise Dalton
Origina Security Operations Analyst
and Matt Woodford
Origina Pre-Sales Specialist and Integration Technologist
There is a significant JavaScript supply chain vulnerability involving the widely used JavaScript file hosted on the polyfill.io domain. It is believed that over 100,000 websites use the popular JavaScript Content Delivery Network (CDN) service, Polyfill.io. The domain bootcss.com might have also been compromised.
The domain cdn.polyfill.io was acquired by the Chinese company Funnull on February 24, 2024, and its traffic was redirected to Baishan Cloud CDN.
Baishan Cloud CDN is a cloud-based service provided by Baishan Cloud, a Chinese company specializing in cloud services and network solutions. A CDN is a network of servers distributed globally to deliver content more efficiently to users by caching copies of content closer to where the users are located. This reduces latency, speeds upload times, and improves the overall user experience.
The original developer of the Polyfill service, believed to be Andrew Betts, never owned the domain or had influence over the sale. In fact, on February 25, 2024, Betts posted on his X account that “If your website uses polyfill.io, remove it IMMEDIATELY. I created the polyfill service project, but I have never owned the domain name and I have no influence over its sale.”
Since then, this domain was caught injecting malware (malicious JS injection) via any site that embeds cdn.polyfill.io, which affects landing pages, redirecting mobile visitors to scan sites and potentially planting back-doors. These actions could lead to monitoring user traffic and malicious interception of sensitive information, including credential theft and other security issues.
Incidentally, complaints on the associated GitHub site, also believed to be owned by Funnull, have been deleted.
Here’s how it works.
Polyfill is an open-source library, usually referring to Java Script, which can be implemented to allow developers utilize older browsers. The polyfill code is dynamically generated based on the HTTP headers, so numerous attack vectors could be possible.
Websites can embed the Polyfill library using the cdn[.]polyfill[.]io domain. When developers embedded the cdn.polyfill.io scripts into their websites, they now pulled code directly from the Chinese company’s site.
The attack is said to have occurred after a Chinese company who acquired the domain modified a script to redirect users to both malicious and scam sites without the website owner’s knowledge.
The modified script is primarily used to redirect users to scam sites, such as a fake Sportsbook site. It does this through a fake Google analytics domain (www[.]googie-anaiytics[.]com) or redirects like kuurza[.]com/redirect?from=bitget
According to Sansec, it has been difficult to fully analyze the modified script since it uses very specific targeting and is resistant to reverse engineering.
To mitigate these risks, developers should follow these two steps:
Step 1: Identify usage. Use a code search tool or integrated development environment (IDE) to search for instances of cdn.polyfill.io in source code across all projects within the organization. Software Bill of Materials (SBOM) may also assist.
Step 2: Replace with a secure version. Fastly has taken a snapshot of the code before it was sold to Funnull and is hosting it at https://polyfill-fastly.io. Use this remote host until you are able to download locally and host yourself.
Developers should download the polyfill.js file locally, scan it for vulnerabilities, and host on internal systems. Replace all instances of <script src=”//cdn.polyfill.io”… with the new secure <scriptsrc=”//polyfill-fastly.io…” or locally hosted polyfill JavaScript file.
IOCs can include, but are not limited to:
A certified CompTIA Cybersecurity Analyst, Louise Dalton previously worked in cybersecurity analysis and response for Hewlett Packard. She has a master’s degree in cybersecurity.
Matt Woodford is a Solutions Architect specializing in commerce-driven cloud technologies. He has more than 25 years of experience designing and implementing complex, integrated IBM e-commerce solutions.
Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.
LEARN MORE