In a recent security breach, more than 100,000 websites have been compromised due to a supply chain attack involving the domain polyfill[.]io. This domain, which is widely used to deliver JavaScript code, has started serving malicious payloads, leading to a range of potential attacks including data theft and clickjacking. This issue arose after the domain was sold to a Chinese organization earlier this year.
The Attack
Security researchers have identified that the cdn[.]polyfill[.]io domain is now distributing malicious code to end users. This attack affects websites that rely on polyfill[.]io to provide modern JavaScript features for older browsers. The compromised code redirects users to inappropriate websites such as pornographic and sports-betting sites, and can potentially lead to more serious attacks like data theft.
Simon Wijckmans, the founder of the security monitoring firm c/side, issued a warning about this breach. He emphasized the urgency of removing any references to polyfill[.]io from websites, stating, “This attack places an estimated +100k websites at immediate risk.”
Malicious Payloads
Researchers discovered that the injected malicious code dynamically generates payloads based on HTTP headers. This sophisticated approach allows the code to activate only on specific mobile devices, evade detection, avoid admin users, and delay execution. In some cases, users receive tampered JavaScript files that include fake Google Analytics links, which redirect them to various malicious sites based on their region.
The nature of JavaScript means that the malicious code could introduce new attacks at any moment, such as formjacking, clickjacking, and broader data theft.
Forewarning and Response
Concerns about the potential for malicious activity were raised back in February when the domain was purchased by Funnull, a Chinese company. Andrew Betts, the developer of the open-source Polyfill project, had already urged users to stop using the polyfill[.]io domain. Betts clarified that he never owned the domain and had no control over its sale.
To raise awareness of this vulnerability, a site called Pollykill was created. It informs users of the risks associated with using polyfill[.]io and provides alternative solutions for delivering JavaScript code safely.
Immediate Actions
Given the serious implications of this supply chain attack, website administrators must take immediate action. Removing references to cdn[.]polyfill[.]io from websites is crucial. Wijckmans pointed out that “third-party resources are in a very powerful position and thus a high-value target for bad actors,” emphasizing the need for vigilance.
While the Polyfill service itself remains secure, it is the domain that has been compromised. Administrators are advised to host their own version of the service in a controlled environment. Additionally, threat feeds currently do not flag the compromised domain, so relying on them is insufficient.
The Polykill website recommends using a code search tool or integrated development environment (IDE) to locate instances of the malicious domain in source code across all projects. It also suggests alternatives like polyfill-fastly[.]net and polyfill-fastly[.]io, which are free drop-in replacements for polyfill[.]io.
This supply chain attack on polyfill[.]io underscores the vulnerability of third-party resources and the importance of securing web applications against such threats. Website owners must act promptly to protect their users and data by removing references to the compromised domain and seeking secure alternatives.