The recent discovery of a website supply chain attack using the cdn.polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become the epicenter of a significant website supply chain attack. As of this writing, it is estimated that this attack has targeted over 100,000 websites, including well-known brands.
At Imperva, we recognize the significance of safeguarding against these attacks, which can potentially jeopardize the security of entire websites and their users. Upon learning about the alarming nature and scale of this attack, we promptly took action to guarantee the safety and security of our customers and their users.
Funnull, a Chinese company, has acquired the domain polyfill[.]io. Following the acquisition of the domain, Funnell began inserting malicious code into scripts served to end-users. So far, over 100,000 sites have been impacted. When developers included the cdn.polyfill[.]io scripts in their websites, the code was fetched directly from the site owned by Funnull.
This code dynamically generates payloads based on HTTP headers, specifically targeting mobile devices, evading detection, avoiding admin users, and delaying execution. The malicious scripts often include a fake Google Analytics link, redirecting users to various inappropriate, scam, or phishing websites, which could lead to data theft.
The malicious domains used advanced evasion tactics, including protections against reverse engineering, activating only on specific mobile devices at certain times, and avoiding execution when admin users or web analytics services are detected.
While the polyfill[.]io domain has been suspended by its registrar and can no longer redirect users to malicious sites, we believe it is still important to remove all related scripts to maintain security best practices.
Our Client-Side Protection solution swiftly identified which customers and specific websites had these compromised domains in their codebase. Imperva Client-Side Protection helps detect such threats and provides immediate action to mitigate risks. If you are an Imperva customer currently using Client-Side Protection with Instant Blocking enabled, you are protected from this attack. For Client-Side Protection customers who don't have this feature enabled, you can find a quick guide on how to turn it on here.
For Imperva customers not currently using Client-Side Protection, start a free trial today to discover if your site is vulnerable.
As a proactive measure, our support organization is actively working with the Client-Side Protection engineering team to notify and assist all customers identified on the list of compromised domains. Our goal is to ensure that every website owner understands the urgency of removing these domains to protect their users and maintain the integrity of their online presence.
Ensuring the security of your website and its visitors is crucial. Proactively removing and replacing compromised domains protects your users and maintains your reputation as a trustworthy online presence. Imperva is dedicated to supporting our customers through this process, and we encourage immediate action to mitigate potential risks. Together, we can defend against threats and foster a safer digital environment.
Imperva Client-Side Protection prevents data theft from client-side attacks like formjacking, Magecart, and other online skimming techniques that often exploit vulnerabilities in the website supply chain. It mitigates the risk of your customers’ most sensitive data landing in the hands of bad actors, resulting in devastating, costly data breaches.
By providing clear visibility with actionable insights and easy controls, Imperva empowers your security team to effortlessly determine the nature of each client-side resource and block any unapproved ones. Imperva Client-Side Protection also ensures your organization meets the latest compliance standards, including those in PCI DSS 4.0. Leveraging Imperva’s advanced capabilities, you can safeguard your digital assets against sophisticated supply chain attacks, ensuring your customers' data remains secure and your business operations uninterrupted.
The post Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack appeared first on Blog.