Security researchers are warning of a web supply chain attack impacting over 100,000 websites that are using the ‘cdn.polyfill.io’ domain.
The polyfill.io website was used to host a service for adding JavaScript polyfills to sites, small bits of code that provide modern functionality in older browsers and ensure compatibility with a broader range of browsers.
In February 2024, however, the domain and associated GitHub account were taken over by the Chinese content delivery network (CDN) company Funnull, which sparked concerns of supply chain attacks being carried out via polyfill.io.
These concerns proved substantiated recently, when website owners using polyfill.io started noticing the abnormal behavior and complained about it.
On Tuesday, security researchers at Sansec and C/side confirmed that the cdn.polyfill.io domain is injecting malicious code into more than 100,000 websites that are using it.
“The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely,” Sansec warned, noting that one payload was redirecting to a sports betting website that was using a fake Google analytics domain.
“The malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution. The code is also obfuscated,” C/side said.
Users are being redirected to sports betting websites or adult domains, likely based on their location, the threat intelligence firm said.
“But this being JavaScript, could at any moment introduce new attacks like formjacking, clickjacking, and broader data theft,” C/side warned.
While the Polyfill service appears to remain functional and clean, the cdn.polyfill.io domain should immediately be removed from any website, the threat intelligence firm said.
“This incident is a typical example of a supply chain attack,” Sansec underlined. Overall, more than 110,000 websites appear to be using cdn.polyfill.io.
Also on Tuesday, Google started warning advertisers about issues with loading JavaScript code from polyfill.io and several other domains, noting that site visitors may be redirected to malicious domains without their permission and that it would block Google Ads for the infected websites.
In February, after the China-based firm bought polyfill.io, Andrew Betts, the original polyfill author warned that the new domain owner should not be trusted and that Polyfill should no longer be used, as modern browsers already contain the required functionality.
Responding to these concerns, web infrastructure providers such as Cloudflare announced the availability of alternatives to help users safely move from polyfill.io.
Related: Several Plugins Compromised in WordPress Supply Chain Attack
Related: Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor
Related: Vulnerability in R Programming Language Could Fuel Supply Chain Attacks
