Security News Polyfill.io JavaScript supply chain attack impacts over 100K sites

[nicolaasjan]

Content source

https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/

Over 100,000 sites have been impacted in a supply chain attack by the Polyfill.io service after a Chinese company acquired the domain and the script was modified to redirect users to malicious and scam sites.
A polyfill is code, such as JavaScript, that adds modern functionality to older browsers that do not usually support it. For example, it adds JavaScript functions that are not available for older browsers but are present in modern ones.
The polyfill.io service is used by hundreds of thousands of sites to allow all visitors to use the same codebase, even if their browsers do not support the same modern features as newer ones.

Polyfill.io supply chain attack​

Today, cybersecurity company Sansec warned that the polyfill.io domain and service was purchased earlier this year by a Chinese company named 'Funnull' and the script has been modified to introduce malicious code on websites in a supply chain attack.
"However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," explains Sansec.
When the polyfill.io was purchased, the project developer warned that he never owned the polyfill.io site and that all websites should remove it immediately. To reduce the risk of a potential supply chain attack, Cloudflare and Fastly set up their own mirrors of the Polyfill.io service so that websites could use a trusted service.

​

 

[nicolaasjan]

I guess adding this rule to uBlock Origin will counter it?
||cdn.polyfill.io/v2/polyfill.min.js$script

 

[Spiff]

I guess adding this rule to uBlock Origin will counter it?
||cdn.polyfill.io/v2/polyfill.min.js$script

Already blocked by uBlock filters – Badware risks:
||polyfill.io^$all

 

[Jonny Quest]

Already blocked by uBlock filters – Badware risks:
||polyfill.io^$all

Yep, just checked on my end as well as far as a Google search.

 

[nicolaasjan]

On sites using Cloudflare there is apparently no risk, since cdn.polyfill.io is CNAME'd to polyfill.io.cdn.cloudflare.net.

polyfill.io now available on cdnjs: reduce your supply chain risk

 

[nicolaasjan]

Polyfill claims it has been 'defamed', returns after domain shut down

The owners of Polyfill.io have relaunched the JavaScript CDN service on a new domain after polyfill.io was shut down as researchers exposed it was delivering malicious code on upwards of 100,000 websites.
The Polyfill service claims that it has been "maliciously defamed" and been subject to "media messages slandering Polyfill."

Polyfill: "Someone has maliciously defamed us"​

The Polyfill.io domain appears to have been shut down as of today by its registrar Namecheap.
The service owners have, however, relaunched the service on a new domain and claim that there are "no supply chain risks."
In a series of posts on X (formerly Twitter), the dubious CDN company has spoken out against allegations of it being involved in a large scale supply chain attack:
"We found media messages slandering Polyfill. We want to explain that all our services are cached in Cloudflare and there is no supply chain risk," writes Polyfill.
The service further claims that it has been "defamed" and dismissed that a risk exists from usage of its CDN:

Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website,
but no one would do this as it would be jeopardize our own reputation.

We have already…
— Polyfill (@Polyfill_Global) June 26, 2024​

The service providers have relaunched the service on polyfill.com—also registered with Namecheap and fully functional at the time of test by BleepingComputer.

 

[nicolaasjan]

Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator

The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to researchers.
Researchers discovered a public GitHub repository where the purported operators of Polyfill.io had accidentally exposed their Cloudflare secret keys.
By using these leaked API keys, which were still active, researchers were able to establish that a common operator was behind all four domains, and the wider supply chain attack.