Polyfill Supply Chain Attack Affects Over 110,000 Websites: Google’s Response and Security Concerns
In a notable development within the cybersecurity landscape, Google has taken decisive action to enhance the safety of users on e-commerce platforms by blocking ads on websites utilizing the Polyfill.io service. This preventive measure comes in response to the recent acquisition of the Polyfill.io domain by a Chinese company, which proceeded to alter the JavaScript library (“polyfill.js”) in a manner that redirects users to malicious websites and scam operations.
A report by cybersecurity firm Sansec has revealed that more than 110,000 websites incorporating this library are now compromised due to this supply chain attack. This incident starkly illustrates the severe risks and vulnerabilities that can arise when third-party dependencies in web development are manipulated or exploited.
Polyfill.io, a widely used library, is integral to web development, offering support for modern web functions across different browsers and ensuring uniform compatibility and functionality. However, in February, concerns began to surface within the web development community when Funnull, a content delivery network (CDN) company based in China, acquired the Polyfill.io domain. The acquisition triggered alarm among developers and security experts, fearing the potential for significant security breaches and data exposure.
Andrew Betts, the original creator of Polyfill, responded quickly to the news, issuing a strong warning to website owners to discontinue using the compromised library immediately. Betts emphasized that “no website today requires any of the polyfills in the polyfill.io library,” as most new web features are rapidly adopted by major browsers. He mentioned exceptions, such as Web Serial and Web Bluetooth, which are challenging to replicate effectively through polyfills.
Recognizing the urgency of the situation, leading web infrastructure providers like Cloudflare and Fastly have offered alternative solutions. These companies have established secure endpoints to help website owners transition away from the now-compromised Polyfill.io service, aiming to mitigate the risks associated with potential malware or malicious code injection.
Cloudflare researchers Sven Sauleau and Michael Tremante have provided further insight into the risks of relying on a domain managed by Funnull. They outlined the catastrophic potential of a compromised or maliciously altered Poly fill codebase, which could lead to widespread security breaches affecting all websites dependent on this tool. Such breaches could not only compromise sensitive user data but also threaten the overall integrity of websites, posing significant risks to both businesses and their customers.
The Sansec report sheds light on even more concerning developments, revealing that the domain “cdn.polyfill[.]io” has been actively used to inject malware. This malware is designed to redirect users to questionable sports betting and pornographic sites. The malicious code is highly sophisticated, incorporating advanced techniques to evade detection and reverse engineering efforts. For instance, it only activates on specific mobile devices at certain times and avoids execution when it detects the presence of an admin user or web analytics services. These tactics suggest that the attackers have carefully planned and executed a targeted strategy to maximize the effectiveness of their campaign.
Further complicating the situation, San Francisco-based security firm c/side issued an alert regarding a suspicious addition of a Cloudflare Security Protection header by the current domain operators between March 7 and 8, 2024. This addition raises further questions about the intentions and security practices of those now in control of the Polyfill.io domain, suggesting possible attempts to create a facade of security while potentially harboring malicious intentions.
The timing of these security revelations coincides with another serious advisory concerning a critical vulnerability affecting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8). Despite the availability of security patches since June 11, 2024, a substantial number of systems remain unpatched, leaving them vulnerable to exploitation. Sansec has named the exploit chain CosmicSting, describing it as an exceptionally dangerous threat, especially when combined with a recent Linux iconv vulnerability. This combination could allow attackers to execute remote code on affected systems, creating a dire security scenario for impacted websites.
Additionally, it has been discovered that third parties could potentially gain API admin access even without exploiting a Linux version susceptible to the iconv vulnerability (CVE-2024-2961). This further complicates the security environment, underscoring the urgent need for comprehensive corrective actions and heightened vigilance.
In conclusion, Google‘s proactive measures to block ads on compromised e-commerce sites underscore the critical cybersecurity challenges posed by the recent breach of the Poly fill.io domain. It serves as a powerful reminder of the importance of maintaining rigorous cybersecurity protocols and regularly auditing third-party dependencies to protect against such sophisticated supply chain attacks. Website owners are strongly advised to explore secure alternatives and maintain a proactive stance in safeguarding their online environments against emerging threats.
