Blog
Threat Intelligence: JavaScript Supply Chain Attack Alert: Polyfill.js Compromise
July 3, 2024
We’re reaching out today to alert you to a significant JavaScript supply chain attack that may have impacted millions of legitimate websites. According to our research, tens of millions of websites, accounting for about 4% of the web, use Polyfill.js, an open-source library designed to improve compatibility with older browsers by embedding JavaScript code.
The Threat
Earlier this year, a Chinese company named Funnull acquired the domain and the GitHub account associated with Polyfill.js. Following this acquisition, they modified the Polyfill.js code to insert malicious code into websites. Any script adopted from cdn.polyfill.io was susceptible to downloading malicious code from Funnull’s site.
Response from Major Players
Cloudflare, Google, and even the Polyfill.io domain provider have taken steps to prevent sites with the malicious “plugin” from loading. Despite these measures, the attacks continue to persist. It is highly recommended that websites using these scripts remove them immediately to prevent further exploitation.
Quick Points
- Scope of Attack: JavaScript supply chain attacks via Polyfill.io have affected tens of millions of legitimate websites, as stated by Cloudflare’s CEO, Matthew Prince.
- Nature of the Attack: Websites using the compromised script have been turned into “watering-holes” for Chinese cyber-attackers, redirecting users to scam sites or malware.
- Affected Entities: Major websites such as Hulu, Intuit, Nintendo, JSTOR, and the World Economic Forum have been affected.
- Preventive Actions: Cloudflare and Google are starting to restrict sites using these malicious scripts.
Immediate Actions
- Review and Remove: Assess your websites for any dependency on Polyfill.io and remove the scripts as necessary.
- Monitor Activities: Keep an eye on unusual activities or signs of malicious code.
- Use Clean Versions: Utilize Fastly or Cloudflare’s “clean” versions of Polyfill scripts when necessary.
Pentest Report Findings
In your next penetration test, look for these report findings:
- Under the “External IP Vulnerability Analysis Log” and “Internal Vulnerability Analysis Log,” you will find Polyfill-related findings listed under the “Web Application Scanning Consolidation / Info Reporting” section.
Stay Secure
As always, we are dedicated to your security. Take these steps promptly to safeguard your digital assets from this ongoing threat.