Skip to content

Over 384,000 websites still embed malicious Polyfill JS script

  • by
  • 2 min read

More than 384,000 websites, including Hulu, Pearson, Mercedes-Benz, and Warner Bros., still link to the Polyfill tool, which was compromised by a supply-chain attack a few weeks ago. The attack occurred after Polyfill had been acquired by a Chinese company, Funnull.

Of the several hundred thousand websites, more than 60% were hosted on Germany-based Hetzner.

The JavaScript code hosted at polyfill[.]io was a trusted open-source project for years. This code enabled older browsers to support advanced functions they couldn’t natively handle, making it a popular choice for websites aiming to ensure compatibility across devices. By embedding links to cdn.polyfill[.]io, these sites could ensure their content is rendered correctly, even on legacy browsers.

The news triggered industry-wide action. Within two days, domain register Namecheap suspended the polyfill domain, halting the malicious activity. Content delivery networks like Cloudflare replaced polyfill links with safer alternatives, while Google blocked ads for sites using the compromised domain. uBlockOrigin, a popular ad blocker, added polyfill[.]io to its filter list, reports Ars Technica.

After the action, Polyfill cried foul and moved to polyfill[.]com.

Despite these measures, researchers observed that more than 384,000 websites were linked to the malicious domain even a week after the attack was disclosed. This included several high-profile websites of private entities and federal government sites, including ‘feedthefuture.gov.’ Researchers observed more than 180 hosts with .gov domain.

This widespread impact underscores the severe risk of supply-chain attacks, potentially thousands or millions of users through a single compromised source.

Further analysis by researchers revealed that over 1.6 million sites linked to other domains registered by the same entity that owns polyfill[.]io. One such domain, bootcss[.]com, was observed conducting similar malicious actions.

Additionally, this domain and three others — bootcdn[.]net, staticfile[.]net, and staticfile[.]org — were found to have leaked the user’s authentication key for accessing a Cloudflare programming interface.

While bootcss.com is currently the only domain showing clear signs of malicious activity, researchers caution against dismissing the potential risk by other associated domains.

“This story is a reminder of the growing threat of supply chain attacks on open-source projects, especially in the web development ecosystem where applications rely on a diverse technology stack of open-source packages for functionality,” cautioned researchers.

In the News: 8 Games coming to Xbox Game Pass in July 2024

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

Illustration: jmiks | shutterstock

New ransomware gang found terrorising Windows and Linux PCs

Top 25 call of duty (cod) wallpapers every gamers should check out

COD WWII hacked; PC version taken offline

This is an image of google office detroit

Google receives $314 million fine for misusing Android cellular data

This is an image of china taiwan featured 1

Taiwan issues warning against 5 Chinese apps

A qantas airline flight taking off

Australian airline Qantas says data theft affected 6 million customers

This is an image of phishing featured storyblocks

Hackers caught weaponising Vercel’s AI tool to create phishing pages

>