Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

In a significant development in the realm of web security, over 110,000 websites, including high-profile sites like hulu.com, intuit.com and texas.gov have been affected by a supply chain attack on the popular JavaScript library, Polyfill.io.

Google’s Response

Google has taken immediate action by blocking ads for
e-commerce sites using Polyfill.io. In a statement shared with The Hacker News,
Google emphasized, “Protecting our users is our top priority. We detected
a security issue recently that may affect websites using certain third-party
libraries. To help potentially impacted advertisers secure their websites, we
have been proactively sharing information on how to quickly mitigate the

The Impact

According to a report by cybersecurity firm Sansec, more
than 110,000 websites embedding the Polyfill library are impacted by this
attack. Polyfill.io, a widely-used library, provides support for modern web
functions across different browsers. Concerns were raised when the domain was
purchased by Funnull earlier this February.

Andrew Betts, the original creator of the Polyfill project,
urged website owners to remove the library, stating, “No website today
requires any of the polyfills in the polyfill[.]io library. Most features added
to the web platform are quickly adopted by all major browsers.”

Alternative Solutions

Web infrastructure providers like Cloudflare and Fastly have
offered alternative endpoints to assist users in migrating away from
Polyfill.io. Cloudflare researchers Sven Sauleau and Michael Tremante noted the
risks, stating, “Any website embedding a link to the original
polyfill[.]io domain will now be relying on Funnull to maintain and secure the
project to avoid the risk of a supply chain attack.”

Malicious Activities Detected

Sansec reported that the domain
“cdn.polyfill[.]io” was found injecting malware to redirect users to
sports betting and pornographic sites. The malware activates under specific
conditions, such as targeting mobile devices at certain hours and avoiding
detection by web analytics services.

Community Response

San Francisco-based c/side also issued an alert, noting the
addition of a Cloudflare Security Protection header by the domain maintainers
between March 7 and 8, 2024. The findings come on the heels of an advisory
about a critical security flaw in Adobe Commerce and Magento websites
(CVE-2024-34102, CVSS score: 9.8), which remains largely unpatched.

Ongoing Concerns

Cloudflare has issued fresh warnings, urging website owners
to remove Polyfill.io due to ongoing concerns about potential malicious code
injections. Cloudflare’s Matthew Prince, John Graham-Cumming, and Michael
Tremante stated, “We have never recommended the Polyfill[.]io service or
authorized their use of Cloudflare’s name on their website.”

Defensive Measures

In light of the attack, businesses are advised to invest in
advanced and automated solutions capable of monitoring and managing script
behavior and integrity in real-time. Pedro Fortuna, CTO and co-founder of
Jscrambler, highlighted, “While asking businesses to shift away from
JavaScript and third-party add-ons is not an option, companies can begin
investing in solutions to monitor and manage script behavior and


The Polyfill.io supply chain attack highlights the critical
vulnerabilities in commonly used web libraries, emphasizing the need for
rigorous security practices. As these attacks become more sophisticated, it is
imperative for organizations to prioritize robust security measures and stay
vigilant about potential risks within their software supply chain.

For a complimentary vulnerability scan of your development
infrastructure, contact our AI Cybersecurity practice at
security@axistechnical.com. We will also be reaching out to customers affected
by this attack.

Scroll to Top