June 28, 2024

In a significant development in the realm of web security, over 110,000 websites, including high-profile sites like hulu.com, intuit.com and texas.gov have been affected by a supply chain attack on the popular JavaScript library, Polyfill.io. Google’s Response Google has taken immediate action by blocking ads for e-commerce sites using Polyfill.io. In a statement shared with The Hacker News, Google emphasized, “Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries. To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue.” The Impact According to a report by cybersecurity firm Sansec, more than 110,000 websites embedding the Polyfill library are impacted by this attack. Polyfill.io, a widely-used library, provides support for modern web functions across different browsers. Concerns were raised when the domain was purchased by Funnull earlier this February. Andrew Betts, the original creator of the Polyfill project, urged website owners to remove the library, stating, “No website today requires any of the polyfills in the polyfill[.]io library. Most features added to the web platform are quickly adopted by all major browsers.” Alternative Solutions Web infrastructure providers like Cloudflare and Fastly have offered alternative endpoints to assist users in migrating away from Polyfill.io. Cloudflare researchers Sven Sauleau and Michael Tremante noted the risks, stating, “Any website embedding a link to the original polyfill[.]io domain will now be relying on Funnull to maintain and secure the project to avoid the risk of a supply chain attack.” Malicious Activities Detected Sansec reported that the domain “cdn.polyfill[.]io” was found injecting malware to redirect users to sports betting and pornographic sites. The malware activates under specific conditions, such as targeting mobile devices at certain hours and avoiding detection by web analytics services. Community Response San Francisco-based c/side also issued an alert, noting the addition of a Cloudflare Security Protection header by the domain maintainers between March 7 and 8, 2024. The findings come on the heels of an advisory about a critical security flaw in Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8), which remains largely unpatched. Ongoing Concerns Cloudflare has issued fresh warnings, urging website owners to remove Polyfill.io due to ongoing concerns about potential malicious code injections. Cloudflare’s Matthew Prince, John Graham-Cumming, and Michael Tremante stated, “We have never recommended the Polyfill[.]io service or authorized their use of Cloudflare’s name on their website.” Defensive Measures In light of the attack, businesses are advised to invest in advanced and automated solutions capable of monitoring and managing script behavior and integrity in real-time. Pedro Fortuna, CTO and co-founder of Jscrambler, highlighted, “While asking businesses to shift away from JavaScript and third-party add-ons is not an option, companies can begin investing in solutions to monitor and manage script behavior and integrity.” Conclusion The Polyfill.io supply chain attack highlights the critical vulnerabilities in commonly used web libraries, emphasizing the need for rigorous security practices. As these attacks become more sophisticated, it is imperative for organizations to prioritize robust security measures and stay vigilant about potential risks within their software supply chain. For a complimentary vulnerability scan of your development infrastructure, contact our AI Cybersecurity practice at security@axistechnical.com. We will also be reaching out to customers affected by this attack.