Malicious actors are exploiting the popular Polyfill.io service to carry out large-scale bounce attacks by exploiting the software’s supply chain.
In a blog post published Tuesday, researchers at Dutch cybersecurity firm Sansec revealed a massive software supply chain compromise campaign involving Polyfill.io, a widely used JavaScript library service. Sansec discovered that malicious actors had injected malicious Polyfill payloads into more than 100,000 websites. Researchers initially observed activity starting in February, after Funnull, a Chinese company, acquired the Polyfill.io domain and GitHub account.
Sansec points out that the domain has injected malware into mobile devices through any website that integrates it using the cdn.polyfill.io domain. Although the open source library is used to support older browsers, the potential scope of the attack is significant. SanSec estimates that more than 100,000 sites, including Intuit and the World Economic Forum, use polyfill.
Manipulating GitHub functions and accounts to carry out software supply chain compromise attacks is a growing trend in 2024.
“The polyfill code is dynamically generated based on HTTP headers, so multiple attack vectors are likely,” Sansec says in its blog post.
Researchers investigated an incident where polyfill was maliciously used to redirect mobile users to a sports betting site using a fake Google Analytics domain. Sansec warned that the code was written with reverse engineering protection and only activated on specific devices and at specific times. Even more worrying, the code did not activate when it detected an administrator user and delayed execution when a web analytics service was found.
“The original author of polyfill recommends not using it at all, as modern browsers don’t need it anymore anyway,” Sansec notes.
Sansec updated its blog on Wednesday indicating that it has suffered DDoS attacks since the publication of its study on Polyfill.io. Additionally, the researchers noted that Namecheap had suspended the domain name, which “eliminates the risk for now.” They previously noted that Funnull had registered several backup domain names for Polyfill.io with Namecheap and other domain name registrars.
Funnull posted a statement on X, formerly Twitter, on Wednesday, denying any involvement of the Polyfill.io service in malicious activity.
Containing the threat
Cloudflare announced on Wednesday that it has taken drastic action against Polyfill.io and Funnull which are essentially removing the domain from its CDN. Like SanSec and other providers, Cloudflare observed malicious actors using the service to inject malicious JavaScript code into users’ browsers. Researchers have advised users not to trust the JavaScript library service for many reasons, including false claims posted about Cloudflare on the Polyfill.io website.
Cloudflare advised removing the service from websites altogether.
“This is a real threat to the entire Internet, given the popularity of this library,” Cloudflare wrote in a blog post: “Over the past 24 hours, we have implemented an automatic JavaScript URL rewriting service that will rewrite any link to polyfill.io found on a website proxy by Cloudflare into a link to our mirror under cdnjs. This will avoid interrupting the functionality of the site while mitigating the risk of a supply chain attack.”
Cloudflare added that the feature is automatically enabled for any website using its free tier. In February, Cloudflare created its own mirror of Polyfill.io due to concerns about the domain’s new owner, Funnull. At the time, Cloudflare noted that Funnull was a relatively unknown company, raising concerns about the integrity of the supply chain.
“The new owner was unknown in the industry and did not have the confidence to manage a project like polyfill.io. The concern, highlighted even by the original author, was that if they were to abuse polyfill.io by injecting additional code into the library, it could cause large-scale security issues across the Internet, affecting many hundreds of thousands of websites,” the blog post reads.
On the trail of the malicious actor
Cloudflare added that its concerns about supply chain attacks were realized Tuesday when Polyfill.io users were redirected to malicious sites. The blog post notes that Cloudflare did not block the domain due to concerns about widespread outages. Cloudflare said estimates show that polyfill.io is used “on nearly 4% of all websites.”
Cloud service provider Fastly also created a mirror of Polyfill.io before the Funnull acquisition, citing similar concerns.
Other domain names involved have been identified: bootcss[.]com, bootcdn[.]net, staticfile[.]org, but also staticfile[.]net, unionadjs[.]com, xhsbpza[.]com, union.macoms[.]there, and newcrbpc[.]com. The link between these domain names is a Cloudflare ID found in the bookstore’s GitHub repository.
A security researcher has further found references suggesting that this could be a campaign that originated in June 2023.
