Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Polyfill Supply Chain Attack Hits Over 100k Websites 

More than 100,000 websites are affected by a supply chain attack injecting malware via a Polyfill domain.

Security researchers are warning of a web supply chain attack impacting over 100,000 websites that are using the ‘cdn.polyfill.io’ domain.

The polyfill.io website was used to host a service for adding JavaScript polyfills to sites, small bits of code that provide modern functionality in older browsers and ensure compatibility with a broader range of browsers.

In February 2024, however, the domain and associated GitHub account were taken over by the Chinese content delivery network (CDN) company Funnull, which sparked concerns of supply chain attacks being carried out via polyfill.io.

These concerns proved substantiated recently, when website owners using polyfill.io started noticing the abnormal behavior and complained about it.

On Tuesday, security researchers at Sansec and C/side confirmed that the cdn.polyfill.io domain is injecting malicious code into more than 100,000 websites that are using it.

“The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely,” Sansec warned, noting that one payload was redirecting to a sports betting website that was using a fake Google analytics domain.

“The malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution. The code is also obfuscated,” C/side said.

Users are being redirected to sports betting websites or adult domains, likely based on their location, the threat intelligence firm said.

Advertisement. Scroll to continue reading.

“But this being JavaScript, could at any moment introduce new attacks like formjacking, clickjacking, and broader data theft,” C/side warned.

While the Polyfill service appears to remain functional and clean, the cdn.polyfill.io domain should immediately be removed from any website, the threat intelligence firm said.

“This incident is a typical example of a supply chain attack,” Sansec underlined. Overall, more than 110,000 websites appear to be using cdn.polyfill.io.

Also on Tuesday, Google started warning advertisers about issues with loading JavaScript code from polyfill​.​io and several other domains, noting that site visitors may be redirected to malicious domains without their permission and that it would block Google Ads for the infected websites.

In February, after the China-based firm bought polyfill.io, Andrew Betts, the original polyfill author warned that the new domain owner should not be trusted and that Polyfill should no longer be used, as modern browsers already contain the required functionality.

Responding to these concerns, web infrastructure providers such as Cloudflare announced the availability of alternatives to help users safely move from polyfill.io.

“Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries. To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue,” a Google spokesperson told SecurityWeek.

*Updated with statement from Google.

Related: Several Plugins Compromised in WordPress Supply Chain Attack

Related: Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor

Related: Vulnerability in R Programming Language Could Fuel Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights