It’s not uncommon for things like domains and open-source projects to change hands. While many such transitions occur without incident, the recent case of Polyfill.io serves as a stark reminder of the inherent risks.
Key Points
- Polyfill.io, is a service used by over 100,000 websites, providing polyfill javascript code for backward compatibility for older browsers.
- This service recently switched owners and was sold to a Chinese company, Funnull, in February 2024.
- The new owners modified Polyfill.io service to silently inject malicious code.
- This attack employs evasion techniques and apparently focuses on attacking mobile devices.
- Do not use polyfill.io. Website owners and developers must immediatelyremove references from cdn.polyfill.io to trusted alternatives such as https://cdnjs.cloudflare.com/polyfill/.
- This attack is NOT affecting the popular NPM package polyfill. If you’re using the NPM package directly and not cdn.polyfill.io, you’re on the safe side.
- We advise not using the NPM package polyfill-service because of the new owners’ low reputation.
Pollyfill.io – What you need to know?
From Popular and Trusted Service to Trojan Horse
Polyfill.io, a service utilized by over 100,000 websites, enables modern JavaScript features to function seamlessly across older browsers. However, this widely trusted tool has recently become the epicenter of a significant supply chain attack, affecting its vast user base and beyond.
The sequence of events unfolded in February 2024 when the polyfill.io domain was acquired by Funnull, a Chinese company. This transaction immediately raised red flags among security experts, including Andrew Betts, the original developer of the Polyfill project. Betts swiftly cautioned the community against using the service, anticipating potential security vulnerabilities.
These concerns were validated when security researchers uncovered that the new owners had modified the script served by cdn.polyfill.io to inject malicious code. This transformation turned the once-reliable and trusted service into a vehicle for supply chain attacks.
Websites using the compromised cdn.polyfill.io unknowingly served this malicious code to their visitors.
The Anatomy of the Attack
At the heart of this security breach is malicious JavaScript code, injected directly through the compromised cdn.polyfill.io domain. When a website includes a script tag pointing to cdn.polyfill.io, it unknowingly pulls in this malicious code, executing it in users’ browsers.
Not A Malicious Package
It’s crucial to distinguish this attack from vulnerabilities in NPM packages, as this is not related to the polyfill NPM package or open-source software packages generally. While packages such as NPM packages are downloaded and installed locally in a project’s dependencies, this malicious code is served dynamically from the CDN each time a page loads. This means that even if a developer’s local environment and code repository are secure, the live website could still be serving malicious code to end users.
The Malicious Code
The attack utilizes dynamic payload generation, creating customized malicious content based on HTTP headers. This allows it to adapt its behavior to different environments, making it more difficult to identify and mitigate. Furthermore, the code is selective in its activation, targeting specific mobile devices.
To further evade discovery, the malicious code incorporates several evasion techniques. It avoids execution when it detects admin users or the presence of web analytics services. The code also employs delayed execution, postponing its actions to reduce the likelihood of being caught by immediate security scans.
Adding another layer of complexity, the entire malicious payload is obfuscated, making it more challenging to analyze its full capabilities.
In some instances, the attack introduces a fake Google Analytics script. Users receive tampered JavaScript files that include a link to “https://www.googie-anaiytics.com/gtags.js” (note the misspelling of “analytics”). This fraudulent script was found to redirect users to various malicious sites, including sports betting and pornographic websites, apparently based on the user’s geographic location.
While the current known actions of the malicious code are primarily focused on redirects, the nature of JavaScript means that the attack could evolve at any moment. Potential future threats include formjacking, where data from online forms could be stolen; clickjacking, which tricks users into clicking on disguised elements; and broader data theft, involving the collection and exfiltration of user information.
Industry Giants Respond
In response to the attack, major players in the tech industry have taken action. Cloudflare and Fastly set up their own mirrors of the Polyfill.io service to provide a trusted alternative, and Google has begun notifying advertisers whose landing pages include the compromised code, warning of potential ad disapprovals due to unwanted redirects.
Checkmarx Customers – What You Can Do
To find out if you are impacted by this attack, scan your web application with this custom SAST query below:
result = Find_Strings().FindByRegex(@"https?:\/\/(cdn\.polyfill\.io)");You can also contact Checkmarx Support or your account manager.
Conclusion
We advise not using the NPM package polyfill-service because of the new owners’ low reputation even though latest release to this day is clean from malicious code.
The Polyfill.io supply chain attack serves as another wake-up call for the web development community, highlighting the vulnerabilities that can arise when widely-used services change hands. In response, website owners and developers should take immediate action: remove all references to cdn.polyfill.io, consider trusted alternatives like Cloudflare or Fastly mirrors, and evaluate self-hosting options.
This incident also underscores the importance of regularly auditing third-party dependencies, staying informed about ownership changes in critical services, and developing contingency plans for rapid migration.