Polyfill.io Supply Chain Attack

The polyfill.js is a popular open-source library that supports older browsers. Thousands of sites embed it using the cdn[.]polyfill[.]io domain. In February 2024, a Chinese company (Funnull) bought the domain and the GitHub account. The company has modified Polyfill.js so malicious code would be inserted into websites that embedded scripts from cdn.polyfill[.]io. Any script adopted from cdn.polyfill[.]io would immediately download malicious code from the Chinese company's site. Some of the known outcomes are:

• user would be redirected to scam sites,
• allows an attacker to steal sensitive data,
• potentially perform code execution.

Given that modern browsers do not require Polyfill, the original polyfill author recommends not to use Polyfill at all. Recommended alternatives are CDN, such as Cloudflare and Fastly.

Secure Your Website with Qualys:

Qualys is releasing multiple detections to detect content downloaded from the CDN and sites that have been compromised.

Launch a Web Application Scan to detect vulnerable JavaScripts with the following detections:

• QID 152102: Vulnerable JavaScripts Downloaded From Polyfill.io
• QID 151040: Vulnerable JavaScript Detected - Polyfill.js

Launch a Web Malware Scan to detect malware downloaded or malicious URLs under the following detections:

• QID 207003: A Match to a Known Virus was Detected
• QID 208000: Content was Loaded from a Remote Malicious Page
• QID 208001: A Link to a Malicious Page was Found
• QID 208002: Your Web Site Domain is Blacklisted

References:

• <https://sansec.io/research/polyfill-supply-chain-attack&gt;
• <https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet&gt;
• <https://community.fastly.com/t/new-options-for-polyfill-io-users/2540&gt;