polyfill.io security issue

Urgent Alert: Polyfill.io Security Issue – Attack Exposes Over 100,000 Websites to Malicious Code

Photo of author

By Elman Tabakovic

A severe security issue has emerged, affecting over 100,000 websites utilizing the popular Polyfill.io service.

This attack has led to the injection of malicious code, redirecting users to unwanted and potentially harmful sites. As website security remains a critical concern, understanding this threat and implementing immediate protective measures is essential.

TL;DR – Polyfill.io

A recent supply chain attack on Polyfill.io has compromised over 100,000 websites by injecting malicious code. This attack redirects users to unwanted sites and evades detection through sophisticated techniques. Websites using Polyfill.io should immediately remove the scripts and implement Subresource Integrity (SRI) to prevent similar future attacks. Stay informed and conduct regular security audits to protect your site. For more details, refer to sources like SecurityWeek, BleepingComputer, and Invicti.

Or… just contact me if you need my service and implement immediate protective measures .

Background

Polyfill.io is an open-source service that provides JavaScript polyfills—small pieces of code that ensure modern functionalities in older browsers. This service has been widely adopted due to its ability to standardize web experiences across different browser versions.

In February 2024, the domain and associated GitHub account of Polyfill.io were acquired by a Chinese company named Funnull. This acquisition raised concerns within the developer community about potential supply chain attacks. These concerns were unfortunately validated when security researchers discovered that the Polyfill.io domain was being used to inject malicious code into websites.

The Security Problem with Polyfill.io

The attack vector involves the dynamic generation of malicious payloads based on HTTP headers. This means the malicious code can adapt and target specific mobile devices while evading detection. Some key points of the attack include:

  • Redirecting Users: The malicious code redirects users to sports betting and adult content sites.
  • Evasion Techniques: The code avoids detection by not activating when an admin user is detected and delaying execution when web analytics services are present.
  • Obfuscation: The code is heavily obfuscated, making it challenging to analyze and understand.

The malicious behavior was first noticed by website owners who observed abnormal activities and reported these issues to security researchers. This attack has primarily impacted sites loading scripts from the cdn.polyfill.io domain.

The Solution for Polyfill.io security issue

To protect your website from this significant threat, immediate action is required:

  1. Remove Polyfill.io Scripts:
    • Identify and remove any references to cdn.polyfill.io in your website’s code.
    • Check for alternative scripts from trusted sources like Cloudflare and Fastly, which offer safe mirrors of the Polyfill service.
  2. Implement Subresource Integrity (SRI):
    • Use SRI to ensure that the external resources your site loads have not been tampered with. This involves adding a hash to your script tags, which browsers can use to verify the integrity of the loaded resources.
    • Example of implementing SRI:
      <script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha384-KyZXEAg3QhqLMpG8r+Knujsl5+5hb7O5nj5LE1w7w7Fw5L5fwJFv0htS4TJ5R5B7" crossorigin="anonymous"></script>
  3. Regular Security Audits:
    • Conduct regular security audits to identify and mitigate vulnerabilities. Utilize security tools and services to scan your site for potential threats.
  4. Stay Informed:
    • Keep up with the latest security news and updates to quickly respond to emerging threats. Follow trusted sources and subscribe to security alerts from reputable organizations.

Conclusion

The Polyfill.io supply chain attack underscores the importance of vigilance and proactive security measures in web development. By removing compromised scripts, implementing SRI, and staying informed, you can safeguard your website and its users from similar threats. Act now to ensure your site’s security and maintain trust with your audience.

For more detailed information and updates, refer to these sources:

Stay safe and secure!