A supply chain attack involving the Polyfill JavaScript library has impacted over 110,000 websites [1], including prominent users like JSTOR and Intuit [1].
Description
The incident [1], discovered on June 25, 2024 [1], was caused by a change in ownership of the Polyfill project earlier this year [1]. The new owners [1], a Chinese company called Funnull [1], have been injecting malware into sites that embed the library via cdn.polyfillio [1]. This malware redirects users to fraudulent sites [1], bookmakers [1], and online casinos [1]. Google has blocked ads for e-commerce sites using Polyfillio due to the supply chain attack [2]. The original creator of Polyfillio has advised website owners to remove it [2], as most modern browsers already support its functions [2]. Cloudflare and Fastly are offering alternative endpoints to help users transition away from Polyfillio [2]. Concerns have been raised about relying on the compromised domain [2], cdn.polyfillio [1] [2], which has been injecting malware redirecting users to harmful sites [2]. Additionally, a critical security flaw impacting Adobe Commerce and Magento websites remains largely unpatched [2], allowing for remote code execution [2]. Developers are advised to keep a close eye on third-party libraries and regularly check and update dependencies to safeguard projects from similar risks [1]. The modified script showed increased resistance to reverse engineering and required specific conditions for activation [3]. Website admins were warned to remove Polyfillio following the sale of the domain [3], prompting Fastly and Cloudflare to establish mirrors of the service for security [3]. Google noted that similar unwanted redirects were observed in other services [3], indicating the potential for supply chain attacks on hundreds of thousands of websites [3].
Conclusion
The supply chain attack on the Polyfill JavaScript library has had significant impacts on a wide range of websites, prompting urgent action to mitigate risks and prevent future incidents. Website owners and developers must remain vigilant and proactive in monitoring and securing their dependencies to protect against similar threats in the future.
References
[1] https://stackdiary.com/polyfill-compromise-hits-100000-sites-in-a-supply-chain-attack/
[2] https://thehackernews.com/2024/06/over-110000-websites-affected-by.html
[3] https://www.scmagazine.com/brief/over-100k-sites-hit-by-polyfill-io-supply-chain-attack
