Polyfill Supply Chain Attack Impacts Over 110,000 Websites

Google has blocked ads for e-commerce sites using the Polyfill.io service after a Chinese company acquired the domain and altered the JavaScript library (“polyfill.js”) to redirect users to malicious sites.

According to the report, this supply chain attack affects over 110,000 websites that utilize the library.

Polyfill is a widely-used library that adds modern functionality support to web browsers. Concerns arose in February when the China-based content delivery network (CDN) company Funnull purchased Polyfill.io.

The original creator of the project, advised website owners to remove Polyfill.io immediately. He noted, “No website today requires any of the polyfills in the polyfill[.]io library,” and added that most new web platform features are quickly adopted by major browsers, with a few exceptions that can’t be polyfilled, like Web Serial and Web Bluetooth.

This situation prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to help users transition away from Polyfill.io.

Cloudflare researchers explained, “Websites that embed a link to the original polyfill[.]io domain now rely on Funnull to maintain and secure the project, which poses a supply chain attack risk. Such an attack occurs if the third party is compromised or modifies the code in malicious ways, affecting all websites using the tool.”

The researcher reported that the domain “cdn.polyfill[.]io” has been found injecting malware that redirects users to sports betting and pornographic sites.

San Francisco-based c/side also issued an alert, stating that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024.

These findings come after an advisory regarding a critical security flaw in Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8). Despite fixes being available since June 11, 2024, the flaw remains largely unpatched.

It has also been discovered that third parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making the situation even more severe.

To protect against supply chain attacks like the one affecting Polyfill.io, it is essential to regularly audit and update all third-party libraries and dependencies. Use content security policies (CSP) to control which scripts can be loaded and executed on your site. Additionally, conduct regular security reviews and stay informed about the latest threats and patches for any CMS and plugins in use.