Polyfill Supply Chain Attack Affects Over 110,000 Websites: Google’s Response and Security Concerns
In a significant security move, Google has begun blocking ads on e-commerce websites that use the Polyfill.io service. This action follows the acquisition of the Polyfill.io domain by a Chinese company, which subsequently modified the JavaScript library (“polyfill.js”) to redirect users to malicious and scam sites.
According to a recent report by Sansec, a staggering 110,000 websites that have embedded this library are affected by this supply chain attack. This incident underscores the critical vulnerabilities that can arise from third-party dependencies in web development.
Polyfill, a highly popular library, is designed to provide support for modern web functions across various browsers, ensuring compatibility and functionality. However, concerns emerged in February when the China-based content delivery network (CDN) company Funnull acquired the domain. This acquisition raised alarms in the web development community due to potential security risks.
Andrew Betts, the original creator of Polyfill, strongly advised website owners to remove the library immediately. He asserted that “no website today requires any of the polyfills in the polyfill.io library,” noting that most new features added to the web platform are rapidly adopted by major browsers. He pointed out exceptions like Web Serial and Web Bluetooth, which cannot be polyfilled effectively.
In light of these security concerns, major web infrastructure providers such as Cloudflare and Fastly have stepped in to offer alternative endpoints. This support aims to help users transition away from the compromised Polyfill.io service and mitigate potential security risks.
Cloudflare researchers Sven Sauleau and Michael Tremante elaborated on the dangers of relying on the Funnull-managed domain. They highlighted that any compromise or malicious alteration in the Polyfill.io code could result in widespread security breaches, impacting all websites using the tool. Such an attack could compromise user data and website integrity, posing severe risks to businesses and their customers.
Sansec’s report provided further alarming details, revealing that the domain “cdn.polyfill[.]io” has been actively injecting malware. This malware redirects unsuspecting users to dubious sports betting and pornographic sites. The malicious code is sophisticated, featuring specific protections against reverse engineering. It activates only on certain mobile devices at specific times, avoiding execution when detecting an admin user or a web analytics service. This level of obfuscation suggests a well-planned and targeted attack strategy.
San Francisco-based security firm c/side also issued an alert, noting a peculiar addition of a Cloudflare Security Protection header by the domain maintainers between March 7 and 8, 2024. This addition raises further questions about the security practices and intentions of those now controlling the Polyfill.io domain.
The timing of these revelations coincides with an advisory on a critical security flaw affecting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8). Despite the availability of fixes since June 11, 2024, this issue remains largely unpatched, posing significant risks. Sansec has codenamed the exploit chain CosmicSting, describing it as a severe threat, particularly when combined with the recent Linux iconv bug. This combination can lead to remote code execution, a security nightmare for affected systems.
Moreover, it has emerged that third parties can gain API admin access without needing a Linux version vulnerable to the iconv issue (CVE-2024-2961), further complicating the security landscape and heightening the urgency for corrective measures.
In summary, Google’s proactive steps to block ads on compromised e-commerce sites highlight the significant cybersecurity risks posed by the Polyfill.io domain’s security breach. E-commerce site owners are urged to seek secure alternatives and remain vigilant against potential vulnerabilities. This incident serves as a stark reminder of the importance of maintaining strict cybersecurity protocols and regularly auditing third-party dependencies to safeguard against such supply chain attacks.
