Polyfill.io Supply Chain Attack Compromises Over 110,000 Websites
In a concerning development for e-commerce and web developers, Google has responded to a supply chain attack targeting the widely used Polyfill.io service. The attack follows the acquisition of the domain by a Chinese company, which has modified the JavaScript library "polyfill.js" to redirect users to fraudulent and malicious websites. As a preventive measure, Google has blocked associated ads for impacted e-commerce sites and shared guidance on mitigating the vulnerabilities exploited by this attack.
The company issued a statement through The Hacker News, emphasizing that user safety is its foremost priority. A security issue was identified that potentially jeopardizes any website relying on specific third-party libraries. To assist vulnerable advertisers, Google has taken proactive steps to disseminate information for immediate remediation.
According to a Tuesday report from Sansec, more than 110,000 websites that integrate Polyfill.io have been compromised due to this supply chain attack. The Polyfill library itself serves a crucial role in providing compatibility for modern JavaScript functions across various web browsers. Concerns were first raised in February when content delivery network (CDN) provider Funnull acquired the service, prompting warnings from Andrew Betts, the library’s original creator. Betts called for the immediate removal of the library, asserting that contemporary web standards have effectively made its functions redundant for most sites.
In response to the situation, prominent web infrastructure providers, including Cloudflare and Fastly, have introduced alternative endpoints, urging users to disengage from the potentially compromised Polyfill.io service. Cloudflare’s researchers highlighted the risks of using an untrusted third party to host such critical components, stating that if the service is compromised, all linked websites would be vulnerable to manipulation and exploitation.
Reports indicate that following the acquisition, the domain "cdn.polyfill.io" has begun injecting malware designed to funnel users towards sports betting and adult sites. This malware features sophisticated measures to thwart reverse engineering, activating only under specific conditions to avoid detection by web analytics and administrators.
Further complicating the landscape, a different vulnerability has been identified in Adobe Commerce and Magento websites. Classified as CVE-2024-34102 with a critical CVSS score of 9.8, this flaw has persisted unpatched despite available fixes since June 2024. Researchers labeled the exploit chain as CosmicSting, revealing its potential to grant unauthorized access to sensitive files while creating pathways for dire scenarios like remote code execution in conjunction with a known Linux bug.
In light of ongoing threats, Cloudflare has renewed warnings about the potential use of polyfill.io for injecting malicious JavaScript into user browsers. The company emphasized that it has never endorsed the service, nor allowed the unauthorized use of its name. Despite its requests for clarification from the domain’s new maintainers, Cloudflare continues to express concerns about the integrity and safety of their service.
Recent developments indicate that the original polyfill.io has been taken down by its domain registrar, Namecheap, although it has since reemerged under a new domain: polyfill.com. This transition underscores a broader trend in supply chain attacks that increasingly target open-source projects.
The complexities of the situation reflect the intricate risks associated with supply chain vulnerabilities, especially as many enterprises depend on JavaScript for client-side functionality. As attacks like the one affecting Polyfill.io demonstrate, malicious actors can leverage weaknesses to impact a multitude of users across various sectors simultaneously. To mitigate these risks, experts recommend that businesses invest in advanced solutions for monitoring script integrity and behavior in real time, as the cybersecurity landscape continues to evolve.
The ongoing vulnerability exposure reinforces the importance of vigilance and preparedness in cybersecurity strategy. As organizations increasingly rely on third-party libraries and services, maintaining an awareness of potential threats and implementing robust security measures will be essential in safeguarding digital assets.
