Getty Images/iStockphoto
Supply chain attacks conducted through Polyfill.io service
In February, a Chinese company named Funnell bought the Polyfill.io domain, which sparked concerns in the infosec community about potential supply chain threats.
Threat actors are leveraging the popular Polyfill.io service to conduct large-scale supply chain attacks, which has sent shockwaves across the infosec industry.
In a blog post on Tuesday, researchers at Dutch cybersecurity vendor Sansec revealed a massive supply chain campaign within Polyfill.io, a widely used JavaScript library service. Sansec discovered threat actors injected malicious Polyfill payloads into more than 100,000 websites. The researchers initially observed the activity beginning in February following the acquisition of Polyfill.io domain and GitHub account by Funnull, a Chinese company.
Sansec emphasized that the domain has been injecting malware into mobile devices through any website that embeds it using the cdn.polyfill.io domain. While the open source library is used to support older browsers, the potential attack scope is large. SanSec said more than 100,000 sites, including Intuit and World Economic Forum, use polyfill.
Manipulating GitHub features and accounts to conduct supply chain attacks has been an increasing trend throughout 2024.
"The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely," Sansec wrote in the blog.
Researchers investigated one incident where polyfill was maliciously leveraged to redirect mobile users to a sports betting site using a fake Google analytics domain. Sansec warned that the code was written with reverse engineering protection and only activated on specific devices at specific hours. More alarmingly, the code did not activate when it detected an admin user, and it delayed execution when a web analytics service was found.
"The original polyfill author recommends not to use polyfill at all, as it is no longer needed by the modern browsers anyway," the blog said.
Sansec updated the blog on Wednesday stating it experienced DDoS attacks following the publication of its Polyfill.io research. Additionally, researchers said Namecheap put the domain on hold, which "eliminates the risk for now." Security researchers had previously noted that Funnull had registered several backup domains for Polyfill.io with Namecheap and other domain name registrars.
Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website,
— Polyfill (@Polyfill_Global) June 26, 2024
but no one would do this as it would be jeopardize our own reputation.
We have already…
Mitigating the supply chain threat
Cloudflare announced on Wednesday that it has taken drastic measures against Polyfill.io and Funnull that essentially remove the domain from Cloudflare's content delivery network. Like SanSec and other vendors, Cloudflare observed threat actors using the service to inject malicious JavaScript code into users' browsers. Researchers warned users not to trust the JavaScript library service for many reasons, including false statements posted about Cloudflare on the Polyfill.io website.
Cloudflare advised that the service be removed from websites altogether.
"This is a real threat to the Internet at large given the popularity of this library," Cloudflare wrote in the blog post. "We have, over the last 24 hours, released an automatic JavaScript URL rewriting service that will rewrite any link to polyfill.io found in a website proxied by Cloudflare to a link to our mirror under cdnjs. This will avoid breaking site functionality while mitigating the risk of a supply chain attack."
Cloudflare added that any website on the free plan has the feature activated automatically. In February, Cloudflare created its own mirror of the Polyfill.io site amid suspicions of the domain's new owner, Funnull. At the time, Cloudflare stressed that Funnell was a relatively unknown company, which sparked supply chain risk concerns.
"The new owner was unknown in the industry and did not have a track record of trust to administer a project such as polyfill.io. The concern, highlighted even by the original author, was that if they were to abuse polyfill.io by injecting additional code to the library, it could cause far-reaching security problems on the Internet affecting several hundreds of thousands websites," the blog post said.
Cloudflare added that its concerns about supply chain attacks were realized on Tuesday when Polyfill.io users were redirected to malicious sites. The blog stressed that Cloudflare has not blocked the domain due to widespread web outage concerns. Cloudflare said estimates show polyfill.io is used "on nearly 4% of all websites."
Cloud service provider Fastly also created a mirror of Polyfill.io prior to Funnull's acquisition, citing similar concerns about potential supply chain threats.
TechTarget Editorial contacted Cloudflare and Sansec for additional comment, but the companies did not respond by press time.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
