A Chinese company in February bought the domain and GitHub account for Polyfill, a popular open-source library used by more than 100,000 websites to deliver JavaScript code.
In the months since the acquisition by Funnull, the domain – cdn[.]polyfill[io] – has been used to deliver malicious code to devices via the websites that embedded the domain, redirecting users to sports betting and pornographic websites based on their region and opening the door to other attacks, such as formjacking, clickjacking and other data theft, according to researchers.
“This incident is a typical example of a supply chain attack,” the threat intelligence group of cybersecurity vendor Sansec wrote in a blog post. “The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.”
Some users were presented with a fake Google Analytics domain that redirected them to these other sites, according to Simon Wijckmans, founder of security firm c/inside. In early March, those maintaining the Polyfill domain also added a Cloudflare Security Protection header to the site, though the purpose of the header wasn’t clear.
Cloudflare officials wrote in a blog post the company “has never recommended the polyfill.io service or authorized their use of Cloudflare’s name on their website. We have asked them to remove the false statement, and they have, so far, ignored our requests. This is yet another warning sign that they cannot be trusted.”
100,000 Sites at Risk
“This attack places an estimated +100k websites at immediate risk,” Wijckmans wrote in an alert. “When a once safe domain is embedded in thousands of websites and concealed like JavaScript threats are, it becomes a tempting path for malicious actors.”
The Polyfill open-source project lets websites use modern JavaScript features in older browsers by including only necessary polyfills based on the user’s browser, Wijckmans wrote.
Companies have been reacting since the reports from cybersecurity researchers about the situation came out this week. Google started blocking ads for e-commerce sites that use the Polyfill domain and Cloudflare reportedly implemented real-time rewrites of the domain to its own version. In addition, the domain registrar and web hosting company Namecheap put the domain on hold.
That will eliminate risks for now, but Sansec is encouraging developers to remove Polyfill references in their code.
Polyfill Comes Back Swinging
That said, the owner of Polyfill.io isn’t backing down. They reportedly have relaunched their JavaScript content delivery service (CDN) under a new domain and are pushing back against the accusations, claiming in a post on X (formerly Twitter) that media reports were slandering them and that there are no supply chain risks.
In another post targeting Cloudflare for its “repeated, baseless and malicious defamation” and its “unethical strategy of suppressing competition before promoting their own products,” the Polyfill.io owner said they are “fully dedicated to developing a global CDN product that surpasses Cloudflare, showcasing the true power of capital.”
They said they’ve secured $50 million in startup funding and finalized the product design.
Early Warnings
The industry was warned about Polyfill soon after Funnull bought it, with Andrew Betts in a post on X telling websites using the domain to “remove it IMMEDIATELY.” Betts explained that he created the project but never owned it and had no influence over its sale.
In addition, c/side’s Wijckmans that many popular CDN providers “have since created their own forks, giving users a safer choice. Most browsers have evolved to make this no longer necessary anyway.”
He pointed to another website, Polykill, created three days after the sale to Funnull to make developers aware of what the site’s developers called a “major JavaScript supply chain vulnerability.”
“There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web applications,” the Polykill creator wrote. “They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information on the web browser.”
A Perfect Storm
The situation caught the attention of the security industry. Eyal Paz, vice president of research of OX Security, said the “recent Polyfill supply chain attack highlights a critical issue with current-day web development: the trust placed in third-party libraries. Add to it the fact that many organizations lack the ability to track the longtail of the software supply chain and we’re looking at the perfect storm of unmanaged cybersecurity risk.”
The case raises concerns about the security standards for the open source ecosystem when a company is acquired by another nation, said Sarah Jones, cyberthreat intelligence research analyst at Critical Start.
“Polyfill.io’s widespread adoption across various industries, including e-commerce, finance, media and entertainment, and healthcare, provides a vast network of websites for malicious actors to exploit,” Jones said.
Polyfill and other platforms that host widely used open source code are typically considered trusted sources, but carry a “use at our own risk” warning, said Ngoc Bui, cybersecurity expert at Menlo Security.
“Due to the extensive reach of open-source repositories like these, the potential impact of any issues will be difficult to measure,” Bui said. “Secure coding practices are crucial to ensure that modifications sourced from these repositories do not result in damage.”
