Polyfill Supply Chain Attack Affects 100,000+ Websites

Anthony J Daw
Anthony J Daw
Cybersecurity Specialist, enthusiast of Python 3 & SQL, Hater of Windows PowerShell. Here to write to you about the wonderful world of Cybercrime, Espionage, and Cyberwarfare.

More From Me

Polyfill is a popular library that incorporates modern functions supported in web browsers while also supporting older browsers. Earlier this past February, concerns were raised following the acquisition of Polyfill by the China-based content delivery network company, Funnul. Since the acquisition, the domain was caught red-handed injecting malware onto mobile devices via sites that embed cdn[.]polyfill[.]io. Complaints of this were removed almost immediately from the support GitHub repository.

The original project developer, Andrew Betts, urged website owners to remove it immediately, mentioning: “No website today requires any of the polyfills in the polyfill[.]io library” and that “most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can’t be polyfilled anyway, like Web Serial and Web Bluetooth.”

This development also prompted Web Infrastructure-as-a-Service providers such as Cloudfare and Fastly to provide alternative endpoints to allow users to easily remove them and adopt alternatives.

Noted by Cloudfare researchers Sven Sauleau and Michael Tremante back in February: “The concerns are that any website embedding a link to the original polyfill[.]io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack, such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised.”

The Dutch e-commerce security firm mentioned that the domain “cdn.polyfill[.]io” had since been caught injecting malicious malware that redirects users to sports betting and pornographic sites. “The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours,” it said. “It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.”

San Francisco-based c/side had also issued an alert, noting that the domain maintainers had added a Cloudflare Security Protection header to their site between March 7 and 8, 2024. “The malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution. The code is also obfuscated,” c/side said. According to the threat intelligence firm, users are being redirected to sports betting websites or adult domains, likely based on their location. “But this being JavaScript, could at any moment introduce new attacks like formjacking, clickjacking, and broader data theft,” c/side warned.

The findings follow an advisory that a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) has remained largely unpatched despite a patch being available since June 11, 2024.