The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization purchased the domain earlier this year.
Several security companies sounded the alarm on Tuesday, warning organizations whose websites use JavaScript code from the pollyfill.io domain to remove it immediately.
The site offered polyfills: useful bits of JavaScript code that add functionality to older browsers and are built into newer versions. These infills make life easier for developers because by using polyfillers they know that their web code will work in a wider range of browsers.
Now we’re told that pollyfill.io is offering malicious code hidden within those scripts, meaning anyone who visits a website using the domain will eventually run that malware in their browser.
“The cdn.polyfill.io domain is currently being used in a web supply chain attack,” Carlo D’Agnolo of security monitoring biz c/side said in an advisory. “It used to host a service for adding JavaScript polyfills to websites, but now injects malicious code into scripts served to end users.”
Additionally, we understand that Google has begun blocking Google Ads for websites using the affected code, presumably to reduce traffic to these websites and reduce the number of potential victims. Affected site owners have also been warned by the internet giant.
“We recently discovered a security issue that could affect websites that use certain third-party libraries,” a Google spokesperson told us. The register. “To help potentially affected advertisers secure their websites, we have proactively shared information on how we can quickly resolve the issue.”
Sites that embed poisoned scripts from polyfill.io and also bootcss.com can unexpectedly redirect visitors from their intended location and send them to malicious sites, Google told advertisers.
More than 100,000 sites already contain the hostile scripts, according to Sansec’s forensic security team, which claimed Tuesday that Funnull, a Chinese CDN operator that bought the polyfill.io domain and its GitHub account in February, has since been using the service at a supply chain attack.
Polyfill.io is used by the academic library JSTOR, as well as Intuit, the World Economic Forum and many more.
Since February, “this domain has been caught injecting malware into mobile devices through any site embedding cdn.polyfill.io,” warned Sansec, an e-commerce security company, adding that all complaints about the malicious activity are quickly disappearing from the GitHub . warehouse.
“The polyfill code is dynamically generated from the HTTP headers, so multiple attack vectors are likely,” Sansec said.
Andrew Betts, who created the open source polyfill service project in the mid-2010s, told people earlier this year not to use polyfill.io at all. As we understand it, Betts maintained the project and contributed it to the GitHub repository until a few years ago, now arguing that it’s really no longer needed.
In February, he said he had nothing to do with the sale of the domain name, and presumably its GitHub repository, to China’s CDN, and urged everyone to take the precaution of removing the code from their web pages after the change of ownership .
“If you own a website, loading a script implies an incredible relationship of trust with that third party,” he said at the time. “Do you actually trust them?”
Soon after, other popular CDN providers, including Fastly, where Betts works today, and Cloudflare created mirrors of polyfill.io, so sites could continue using the code in the meantime without having to load stuff from a Chinese entity.
“The concerns are that any website that links to the original polyfill.io domain will now rely on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack,” said Sven Sauleau and Cloudflare’s Michael Tremante in February. .
“Such an attack would occur if the underlying third party is compromised or changes the code served to end users in nefarious ways, compromising all websites using the tool,” she added.
Now that appears to be the case. ®