Polyfill Supply Chain Attack Compromises Over 100,000 Websites
26 June 2024 at 19:30
Malicious Polyfill Injection and Its Impact
Researchers stated that the injected malware is dynamically generated based on HTTP headers, making it difficult to detect. The Polyfill injection attack is a classic example of a supply chain attack against a widely used library. [caption id="attachment_79097" align="alignnone" width="2454"]![Polyfill Injection](../themes/icons/grey.gif)
- Β Activating only on specific mobile devices at certain hours
- Β Avoiding execution when an admin user is detected
- Β Delaying activation when web analytics services are present
Mitigation and Recommendations
Andrew Betts, the original Polyfill author, took to X to advise against the usage of Polyfill altogether, stating that modern browsers no longer require it. He added that he had no influence over the sale of the project and was never in possession of the new domain, and cautioned that websites that serve third-party scripts are a huge security concern. [caption id="attachment_79101" align="alignnone" width="623"]![](../themes/icons/grey.gif)
![](../themes/icons/grey.gif)
- Immediately and remove usage of cdn.polyfill.io from websites and projects.
- Replace with a secure alternative such as those being offered by Fastly and CloudFlare. Fastly has saved and hosted an earlier version(https://polyfill-fastly.io/) of the project's codebase before its sale to Funnull.
"There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser."CloudFlare had also published its findings and recommendations in response to concerns over the compromise of domains. The company stated in a blog article:
The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack. Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."This incident serves as a stark reminder of the security implications of relying on external code libraries/third-party scripts and the importance of vigilance in maintaining website integrity, plus the potential malicious takeover of massively deployed projects. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.