Researchers warn of large-scale attacks on the polyfill supply chain

A popular JavaScript library used by over 100,000 websites has been found to inject malicious code into pages delivered to mobile users under certain circumstances, prompting researchers and CDN providers to warn website owners to remove the library immediately.

The incident began earlier this week when researchers noticed that the polyfill.io library was injecting dynamic code in some cases that redirected users to a third-party website. Researchers estimate that more than 100,000 websites are currently affected. Polyfill.io is a library used to dynamically provide certain functionality to older browsers that do not support certain features. Websites that use the library load it dynamically based on information in the HTTP headers displayed by the user’s browser. It has been used for many years, but the library’s author said in February that he never owned the polyfill.io domain, which was purchased by a Chinese company in February.

“polyfill.js is a popular open-source library for supporting legacy browsers. Over 100,000 websites embed it via the cdn.polyfill.io domain. Known users include JSTOR, Intuit, and the World Economic Forum. However, in February this year, a Chinese company bought the domain and Github account. Since then, this domain has been caught injecting malware onto mobile devices via any website that embeds cdn.polyfill.io. All complaints were quickly removed from the Github repository (archive here),” researchers at e-commerce security firm Sansec said in an analysis of the incident.

“The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely. Sansec has decrypted a specific malware (see below) that redirects mobile users to a sports betting website using a fake Google Analytics domain (www.googie-anaiytics.com). The code has special protection against reverse engineering and is only activated on certain mobile devices at certain times. It also does not activate if it detects an administrator user. It also delays execution if a web analytics service is found, presumably to avoid ending up in the statistics.”

In response to the incident, Cloudflare created its own secure mirror of polyfill.io and also replaced all references on its customers’ websites to the polyfill.io CDN with a redirect to that secure mirror. Fastly developed its own fork of polyfill.io in February and also released drop-in replacements for the original library. Namecheap, the registrar for the polyfill.io domain, has banned it and GitHub has also flagged the polyfill repository.

The researchers recommend that all website owners whose websites use the polyfill.io library look for it in their code and remove all links to it.

“Given the scale of this attack, we expect it will be several weeks before we understand the true impact of this attack on the supply chain. However, attacks like this can be quite devastating,” said Ax Sharma of Sonatype.