Major Supply Chain Attack Impacts Over 110,000 Websites Through Hijacked Polyfill Service

June 26, 2024

Google has initiated measures to block advertisements for e-commerce platforms that utilize the Polyfill.io service. This response comes in the wake of a Chinese firm, Funnull, acquiring the domain and altering the JavaScript library, known as 'polyfill.js', to redirect users to harmful and fraudulent websites. As per a report from Sansec, a security firm specializing in e-commerce, the supply chain attack has affected over 110,000 websites that incorporate the library.

Polyfill is a widely used library that integrates support for cutting-edge functions in web browsers. The acquisition of the domain by Funnull earlier this year raised alarm bells. Andrew Betts, the original developer of the project, advised website owners to promptly remove it, stating, "no website today requires any of the polyfills in the polyfill[.]io library" and that "most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

This situation led web infrastructure providers Cloudflare and Fastly to propose alternative endpoints to assist users in transitioning away from Polyfill.io. Cloudflare researchers Sven Sauleau and Michael Tremante highlighted the risks, saying, "Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

Sansec has discovered that the domain 'cdn.polyfill[.]io' is now involved in injecting malware that redirects users to sports betting and adult content websites. The firm noted that the code has specific protection against reverse engineering, and only activates on specific mobile devices at certain times. It also doesn't activate when an admin user is detected and delays execution when a web analytics service is found, presumably to avoid detection in the stats.

It has also been revealed that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024. This follows an advisory about a critical security flaw affecting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that remains largely unpatched despite fixes being available since June 11, 2024. Sansec, which has codenamed the exploit chain CosmicSting, stated that "In itself, it allows anyone to read private files (such as those with passwords)."

However, when combined with the recent iconv bug in Linux (CVE-2024-2961), it becomes an even more severe security issue, allowing third-parties to gain API admin access without needing a Linux version vulnerable to the iconv issue.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.