Namecheap shut down polyfill.io amid reports of malicious activity, but the Chinese owner claims it has good intentions.

The post Polyfill Domain Shut Down as Owner Disputes Accusations of Malicious Activity appeared first on SecurityWeek.

Claims, counterclaims, website shutdowns, redirections and DDoS attacks were among the highlights (or lowlights) as news of the Polyfill supply chain attack entered its second day. After Polyfill(.)io was shut down by registrar Namecheap, the allegedly compromised JavaScript CDN service relaunched at Polyfill(.)com, and claimed it had been “maliciously defamed.” Meanwhile, the researchers who first reported the supply chain compromise were hit by a DDoS attack, while many security researchers wondered how such a widely used web component could have been sold to a Chinese company in the first place. Here are the latest developments in the attack, which is potentially the largest-ever digital supply chain attack. While the full extent of malware distributed through the CDN remains unknown, initial estimates were that more than 100,000 websites were using the service. However, in a post on X, Cloudflare CEO Matthew Prince said “Tens of millions of websites (4% of the web) uses Polyfill(.)io. Extremely concerning malware has been discovered impacting any site using Polyfill.” He also said Cloudflare was automatically replacing Polyfill links with its own mirror. [caption id="attachment_79279" align="alignnone" width="400"] Extent of website exposure to Polyfill(.)io (source: X)[/caption]

Extent of Polyfill Supply Chain Attack Unknown, But Big Names Among Users

Some of the biggest names turning up in a search for cdn(.)polyfill(.)io include Intuit, JSTOR, the World Economic Forum, a Coldwell Banker real estate site, major educational sites like Brandeis University, the technical standards organization ASTM, the Bank of Ireland, Live Nation sites for Spain and the UK, the RAINN anti-sexual violence organization, data management vendor AvePoint, investment company MSCI, industrial network company Moxa, the Environmental Defense Fund, and the Dubai Airports Company. The extent of the Polyfill supply chain attack may be unknown for some time. In February, a Chinese company bought the Polyfill domain and the Github account, and concern about the deal surfaced almost immediately. The Sansec researchers who initially publicly disclosed the threat two days ago noted that since the acquisition, “this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed from the Github repository.” The researchers said that the polyfill code is dynamically generated based on the HTTP headers, “so multiple attack vectors are likely.” Sansec decoded one particular malware strain that redirects mobile users to a sports betting site using a fake Google analytics domain (googie-anaiytics(.)com). The researchers said they were subsequently hit by a DDoS attack after publishing their initial report. [caption id="attachment_79278" align="alignnone" width="400"] Researchers hit by DDoS attack (source: X)[/caption]

Google Started Blocking Ads in Mid-June

It’s not clear how long the threat has been known – it is standard practice for threat researchers to wait to reveal their findings until affected parties have had a chance to fix vulnerabilities – but Google has apparently been rejecting ads that link to the googie-anaiytics domain since at least mid-June. In a letter to advertisers this week (reprinted below), Google cited redirects coming from “a few different third-party web resource providers including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org” for the rejected ads. [caption id="attachment_79305" align="alignleft" width="260"] Google Ads Polyfill letter[/caption] In addition to those four domains, Sansec researchers added an additional five malicious domains to their original report: staticfile(.)net, unionadjs(.)com, xhsbpza(.)com, union(.)macoms(.)la, and newcrbpc(.)com. That gives website owners a total of nine services and domains to monitor and remove from their sites. The connection between the sites apparently came from a secrets leak on the Polyfill site. Some of the domains have been used for malicious activity since at least June 2023.

Mitigations Set Up By Cloudflare, Fastly

To mitigate supply chain risk, Cloudflare released an automatic JavaScript URL rewriting service that will rewrite any link to polyfill(.)io found in a website proxied by Cloudflare to a link to the company’s mirror under cdnjs. Cloudflare also charged that Polyfill was falsely misusing the Cloudflare name and logo on its website. Fastly – which hosted the CDN for free before it was sold – had also set up an alternative service based on the Polyfill open source project. Developer Andrew Betts, who had created the Polyfill service project, said in an X post at the time of the sale in February that "No website today requires any of the polyfills in the http://polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

Polyfill Owner Responds

The Polyfill(.)io owners took to X to respond to the malware charges. “Someone has maliciously defamed us,” said a post to the Polyfill_Global account. “We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize  (sic) our own reputation.” [caption id="attachment_79275" align="alignnone" width="400"] Polyfill response (source: X)[/caption] The Cyber Express will continue to update readers as this story evolves. Note: This article was updated on June 28 to report that 9 malicious domains relating to the Polyfill supply chain attack have now been identified.

A widespread supply chain attack has hit more than 100,000 websites, including notable platforms like JSTOR, Intuit, and the World Economic Forum. The attack stems from a fake domain impersonating the popular open-source library Polyfill.js, which supports older browsers. In February, the Chinese company Funnull had acquired the domain and GitHub account associated with the project, leading to the injection of malware into sites that embed cdn.polyfill.io. The malicious code is designed to redirect mobile users to sports betting sites or pornographic sites using a fake Google Analytics domain.

Malicious Polyfill Injection and Its Impact

Researchers stated that the injected malware is dynamically generated based on HTTP headers, making it difficult to detect. The Polyfill injection attack is a classic example of a supply chain attack against a widely used library. [caption id="attachment_79097" align="alignnone" width="2454"] At least 104183 websites might be affected. (Source: publicwww.com)[/caption] The compromised Polyfill code dynamically generates malware based on HTTP headers, potentially utilizing multiple attack vectors. Researchers from Sansec decoded one variant that redirects mobile users to a sports betting site using a fake Google Analytics domain. The malware employs sophisticated techniques and defenses against reverse engineering to evade detection, including:

•  Activating only on specific mobile devices at certain hours
•  Avoiding execution when an admin user is detected
•  Delaying activation when web analytics services are present

The attack's scope is significant, with Google already blocking Google Ads for e-commerce sites using polyfill.io. Researchers later reported that their infrastructure had been subjected to DDoS attacks after reporting on the campaign.

Mitigation and Recommendations

Andrew Betts, the original Polyfill author, took to X to advise against the usage of Polyfill altogether, stating that modern browsers no longer require it. He added that he had no influence over the sale of the project and was never in possession of the new domain, and cautioned that websites that serve third-party scripts are a huge security concern. [caption id="attachment_79101" align="alignnone" width="623"] Source: X.com(@triblondon)[/caption] [caption id="attachment_79102" align="alignnone" width="634"] Source: X.com(@triblondon)[/caption] Experts have set up a domain (polykill.io) to warn against the compromise of the project and have recommend the following steps for website owners:

• Immediately and remove usage of cdn.polyfill.io from websites and projects.
• Replace with a secure alternative such as those being offered by Fastly and CloudFlare. Fastly has saved and hosted an earlier version(https://polyfill-fastly.io/) of the project's codebase before its sale to Funnull.

The website cautioned of the risks associated with the takeover of the project:

"There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser."

CloudFlare had also published its findings and recommendations in response to concerns over the compromise of domains. The company stated in a blog article:

The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack. Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

This incident serves as a stark reminder of the security implications of relying on external code libraries/third-party scripts and the importance of vigilance in maintaining website integrity, plus the potential malicious takeover of massively deployed projects. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.