A supply chain attack on Polyfill, a tool developers use to integrate API regardless of browser compatibility, has affected over 110,000 websites worldwide. This event led Google to block ads for e-commerce sites leveraging the Polyfill[.]io service.

The attack followed the acquisition of the library by the China-based content delivery network company Funnull in February has sparked significant security concerns.

Andrew Betts, the original creator of Polyfill, has advised website owners to remove the library promptly. He emphasised that “no website today requires any of the polyfills in the polyfill[.]io library,” noting that most web platform features are swiftly adopted by major browsers, with some exceptions like Web Serial and Web Bluetooth, which cannot be polyfilled.

If your website uses https://t.co/3xHecLPXkB, remove it IMMEDIATELY.

I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI
— Andrew Betts (@triblondon) February 25, 2024

“In February this year, a Chinese company bought the domain and the GitHub account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository,” researchers note.

Researchers also found that multiple threat actors will likely exploit the popular open-source library as the polyfill code is dynamically generated based on the HTTP headers.

“Sansec decoded one particular malware (see below) which redirects mobile users to a sports betting site using a fake Google analytics domain (www.googie-anaiytics.com),” said researchers.

This malware was specially designed to protect it from reverse engineering. Furthermore, it only activates on certain mobile devices at specific hours. To maintain secrecy and persistence, it doesn’t activate when it detects an admin login. It also delays execution when a web analytics service is active, presumably to avoid appearing in the stats.

The security risks associated with the new ownership have led web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to assist users in migrating from polyfill[.]io.

This incident adds to a growing list of supply chain attacks. Yesterday, it was reported that malicious code injection flaws in 5 WordPress websites could allow attackers to gain admin privileges.

In May, Justice AV Solutions, a prominent software provider used in legal environments, was the target of a supply chain attack, putting users at risk.

In the News: Redis servers were attacked with a novel ransomware module