A widespread supply chain attack has hit more than 100,000 websites, including notable platforms like JSTOR, Intuit, and the World Economic Forum. The attack stems from a fake domain impersonating the popular open-source library Polyfill.js, which supports older browsers.
In February, the Chinese company Funnull had acquired the domain and GitHub account associated with the project, leading to the injection of malware into sites that embed cdn.polyfill.io. The malicious code is designed to redirect mobile users to sports betting sites or pornographic sites using a fake Google Analytics domain.
Malicious Polyfill Injection and Its Impact
Researchers stated that the injected malware is dynamically generated based on HTTP headers, making it difficult to detect. The Polyfill injection attack is a classic example of a supply chain attack against a widely used library.
The compromised Polyfill code dynamically generates malware based on HTTP headers, potentially utilizing multiple attack vectors. Researchers from Sansec decoded one variant that redirects mobile users to a sports betting site using a fake Google Analytics domain. The malware employs sophisticated techniques and defenses against reverse engineering to evade detection, including:
- Activating only on specific mobile devices at certain hours
- Avoiding execution when an admin user is detected
- Delaying activation when web analytics services are present
The attack’s scope is significant, with Google already blocking Google Ads for e-commerce sites using polyfill.io. Researchers later reported that their infrastructure had been subjected to DDoS attacks after reporting on the campaign.
Mitigation and Recommendations
Andrew Betts, the original Polyfill author, took to X to advise against the usage of Polyfill altogether, stating that modern browsers no longer require it. He added that he had no influence over the sale of the project and was never in possession of the new domain, and cautioned that websites that serve third-party scripts are a huge security concern.
Experts have set up a domain (polykill.io) to warn against the compromise of the project and have recommend the following steps for website owners:
- Immediately and remove usage of cdn.polyfill.io from websites and projects.
- Replace with a secure alternative such as those being offered by Fastly and CloudFlare. Fastly has saved and hosted an earlier version(https://polyfill-fastly.io/) of the project’s codebase before its sale to Funnull.
The website cautioned of the risks associated with the takeover of the project:
“There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser.”
CloudFlare had also published its findings and recommendations in response to concerns over the compromise of domains. The company stated in a blog article:
The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack. Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised.”
This incident serves as a stark reminder of the security implications of relying on external code libraries/third-party scripts and the importance of vigilance in maintaining website integrity, plus the potential malicious takeover of massively deployed projects.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
