The Polyfill.js project, a popular open-source library used to support older browsers, has been compromised by a supply chain attack. The attack occurred after a Chinese company acquired the ownership of the polyfill.io domain [1]. As a result, more than 100,000 websites that embed the cdn.polyfill.io domain have been affected [2].
Details of the attack:
- The new Chinese owner of the Polyfill.js project injected malware into the polyfill.io domain, which is used by numerous websites [2].
- The malware is dynamically generated based on HTTP headers, allowing for multiple attack vectors [2].
- The injected code redirects mobile users to a sports betting site using a fake Google Analytics domain [2].
- The malware has specific protections against reverse engineering and only activates on specific mobile devices at specific hours. It also avoids activating when it detects an admin user and delays execution when a web analytics service is found [2].
Impact and recommendations:
- Users of websites that embed the cdn.polyfill.io domain may be unknowingly redirected to malicious sites, such as sports betting and adult content websites [2].
- The original creator of the Polyfill.js project recommends not using Polyfill at all, as modern browsers no longer require it [2].
- Trustworthy alternatives to Polyfill, provided by Fastly and Cloudflare, are available for those who still require similar functionality [2].
- Google has started sending warnings about loading third-party JavaScript from domains like polyfill.io to protect users from potential harm [3].
Learn more: