Polyfill Supply Chain Attack Injects 100,000+ Websites with Malware via CDN Assets

Polyfill.js is a Javascript library that helps old browsers run new modern features which these old browsers do not support natively. The library is popular among developers for helping them offer consistent user experience regardless of the browser environment the user is using. In February 2024, a Chinese company bought the domain polyfill.io and the Github account associated with it. Since then, they’ve been serving malware via cdn.polyfill.io as pointed by the team at Sansec.

Who is Impacted?

More than 100,000 websites embed cdn.polyfill.io to support old browser compatibility. A comprehensive list of websites can be seen here, some popular names include Intuit, Metro, pCloud etc.

It was found that the same company has been injecting malware from a number of other domains too, these include – bootcss.com, bootcdn.net, staticfile.net etc.

If we combine the impact of above domains, the total number of affected websites is more than 300,000.

Chronology of The ‘Supply Chain’

Your security is as strong as your weakest link.

A supply chain attack works on the above principle. It attacks the weakest link in the entire stream of an attack, instead of directly targeting the end victim. Often organizations are targeted through their suppliers or open source libraries they’re using as a part of the supply chain attack. Here’s how the Polyfill supply chain attack happened:

1. The OSS code for polyfill was hosted on Fastly and was maintained by the community.
2. The last maintainer announced that they’re selling the project to a Chinese company in February 2024. This Chinese company apparently was into CDN services.
3. After acquisition the a new CNAME was added to the polyfill.io domain – polyfill.io.bsclink.cn
4. The moment above happened, polyfill’s original creator warned everyone:

The above was pointed out by several users on Github too. Here’s another example where a Github user noticed the CNAME change.

How to detect if you are vulnerable to Polyfill Supply Chain Attack?

1. If you use Polyfill, there’s a high probability that the polyfill js vulnerability affected you as well. If CDN provider is serving traffic from one of the affected domains listed below, then you might be affected:
   • cdn.polyfill.io
   • bootcss.com
   • bootcdn.net
   • staticfile.net
2. Some of the symptoms of the Polyfill io attack infection include:
   • Redirection of end users to malicious sites
   • Cross Site Scripting (XSS) attacks
   • Stealing user information or hijacking sessions

Astra’s Vulnerability Scanner is Actively Detecting Polyfill Supply Chain Attack

The security research and detection team at Astra keeps a close eye on such vulnerabilities. We’ve proactively added detection for Polyfill supply chain attack.

Share this...

Facebook

Pinterest

Twitter

Linkedin