Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites.

"Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries," the company said in a statement shared with The Hacker News. "To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue."

More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.

Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull.

The original creator of the project, Andrew Betts, urged website owners to immediately remove it, adding "no website today requires any of the polyfills in the polyfill[.]io library" and that "most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

The development also prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to help users move away from polyfill[.]io.

"The concerns are that any website embedding a link to the original polyfill[.]io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare researchers Sven Sauleau and Michael Tremante noted at the time.

"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

The Dutch e-commerce security firm said the domain "cdn.polyfill[.]io" has since been caught injecting malware that redirects users to sports betting and pornographic sites.

"The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours," it said. "It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats."

San Francisco-based c/side has also issued an alert of its own, noting that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024.

The findings follow an advisory about a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues to remain largely unpatched despite fixes being available since June 11, 2024.

"In itself, it allows anyone to read private files (such as those with passwords)," Sansec said, which codenamed the exploit chain CosmicSting. "However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution."

It has since emerged that third-parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making it an even more severe issue.

Update

Cloudflare has issued fresh warnings, urging website owners to remove polyfill[.]io owing to ongoing concerns that it could be used to inject malicious JavaScript code into users' browsers

It also emphasized that it "has never recommended the polyfill[.]io service or authorized their use of Cloudflare's name on their website," and that it has asked them to "remove the false statement."

"They have, so far, ignored our requests," Cloudflare's Matthew Prince, John Graham-Cumming, and Michael Tremante said. "This is yet another warning sign that they cannot be trusted."

What's more, the website has been taken down by domain registrar Namecheap, although it has since migrated to another domain named polyfill[.]com, according to developer security platform Socket.

"We found media messages slandering polyfill," the CDN company said in a statement shared on X (formerly Twitter). "We want to explain that all our services are cached in Cloudflare and there is no supply chain risk."

"Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third-parties could introduce potential risks to your website, but no one would do this as it would jeopardize our own reputation."

In a follow-up message, Polyfill also accused Cloudflare of "repeated, baseless, and malicious defamation," claiming "their unethical strategy of suppressing competition before promoting their own products is deplorable."

The back-and-forth unfolds against the backdrop of supply chain attacks increasingly targeting the open-source community, as evidenced following a "credible" takeover attempt targeting the OpenJS Foundation and the discovery of malicious code embedded in the XZ Utils library.

"It is notable that the group or attacker behind [the XZ backdoor] has extensive knowledge of the internals of open-source projects such as SSH and libc, as well as expertise in code/script obfuscation used to start the infection," Kaspersky researchers Anderson Leite and Sergey Belov said.

With websites relying on JavaScript for client-side scripting, the polyfill[.]io situation is the latest example of how malicious actors can compromise widely-used products and services to inflict damage on all downstream customers at once.

"As businesses increasingly rely on client-side JavaScript development, JavaScript's weaknesses and client-side blind spots will continue to be exploited," Pedro Fortuna, CTO and co-founder of Jscrambler, said in a statement shared with The Hacker News.

"While asking businesses to shift away from JavaScript and third-party add-ons is not an option, companies can begin investing in more advanced and automated solutions capable of monitoring and managing script behavior and integrity in real-time."

(The story was updated after publication to include a response from Google, as well as additional information from Cloudflare and Polyfill.)