Over 110,000 websites affected by hijacked Polyfill supply chain attack

26 June 2024Press releaseSupply Chain Attack / Web Security

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library (“polyfill.js”) to redirect users to malicious and fraudulent sites.

More than 110,000 websites that incorporate the library were affected by the supply chain attack, Sansec said in a report on Tuesday.

Polyfill is a popular library that supports modern features in web browsers. Concerns were raised in early February after it was purchased by China-based content delivery network (CDN) company Funnull.

The project’s original creator, Andrew Betts, called on website owners to remove it immediately, adding that “today, no website needs any of the polyfills in the polyfill(.)io library” and “most of the functionality added to the web platform is quickly adopted by all major browsers, with a few exceptions that generally cannot be polyfilled anyway, such as Web Serial and Web Bluetooth.”

The development also prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to make it easier for users to move away from Polyfill.io.

“The concern is that any website that embeds a link to the original polyfill.io domain will now rely on Funnull to maintain and secure the underlying project, thus avoiding the risk of a supply chain attack,” Cloudflare researchers Sven Sauleau and Michael Tremante noted at the time.

“Such an attack would occur if the underlying third party is compromised or nefariously modifies the code delivered to end users, resulting in all websites using the tool being compromised.”

The Dutch e-commerce security company said it has now discovered that the domain “cdn.polyfill(.)io” is injecting malware that redirects users to sports betting and porn sites.

“The code is specifically protected against reverse engineering and is only activated on certain mobile devices at certain times,” it says. “It is also not activated if it detects an administrator user. It also delays execution if a web analytics service is found, presumably to avoid ending up in the statistics.”

San Francisco-based c/side also issued a warning, noting that domain maintainers added a Cloudflare Security Protection header to their site between March 7 and March 8, 2024.

The findings follow an alert about a critical vulnerability affecting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8), which remains largely unpatched, although fixes have been available since June 11, 2024.

“By itself, it allows anyone to read private files (such as those containing passwords),” said Sansec, which codenamed the exploit chain CosmicSting. “However, when combined with the recent Iconv bug in Linux, it becomes a security nightmare of remote code execution.”

Since then, it has been discovered that third parties can gain API administrator access without requiring a Linux version vulnerable to the Iconv issue (CVE-2024-2961), making this issue even more severe.