Massive Supply Chain Attack on Polyfill Impacts Over 110,000 Websites

In a recent major security breach, more than 110,000 websites have been affected by a hijacked Polyfill supply chain attack. This incident has led Google to block ads for e-commerce sites using the Polyfill.io service, following modifications to the JavaScript library "polyfill.js" by a Chinese company that acquired the domain.

Incident Overview

Polyfill, a widely-used library that integrates support for modern web browser functions, came under scrutiny when it was acquired by China-based content delivery network (CDN) company Funnull earlier this year. Concerns about the security of the library were first raised in February. The original creator, Andrew Betts, advised website owners to immediately remove Polyfill.io, stating that modern web features are now largely supported by all major browsers without the need for polyfills.

Impact and Response

The Dutch e-commerce security firm, Sansec, reported that the compromised domain "cdn.polyfill.io" has been injecting malware, redirecting users to malicious sites, including sports betting and pornographic platforms. The malicious code was designed with sophisticated protections against reverse engineering, activating only on specific mobile devices at certain times and avoiding detection by web analytics services and admin users.

In response to these threats, web infrastructure providers Cloudflare and Fastly have offered alternative endpoints to help users transition away from Polyfill.io. The core concern is that any website embedding the original Polyfill.io link is now vulnerable to potential malicious code alterations by Funnull, posing a significant risk of a supply chain attack.

Technical Insights and Further Developments

The situation is exacerbated by the recent discovery of a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8), which remains largely unpatched despite available fixes since June 11, 2024. This vulnerability, when combined with the iconv bug in Linux (CVE-2024-2961), presents a severe security threat, potentially allowing remote code execution and unauthorized API admin access without requiring a Linux version vulnerable to the iconv issue.

Protective Measures

To protect against such supply chain attacks and other cybersecurity threats, it is essential to:

Conclusion

The hijacked Polyfill supply chain attack underscores the critical need for vigilance and proactive measures in cybersecurity. Website owners and developers must stay informed and take immediate actions to secure their digital assets, ensuring robust protection against such sophisticated threats. As investigations continue, the commitment to transparency and user security remains paramount.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.