NOTE: we now have a more complete article on the Polyfill attack here.
The cdn.polyfill.io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.
Among the +490k websites targeted, it was confirmed the domain was still active on Disney-owned streaming service Hulu, The Guardian, Intuit and many more.
Immediate Action: Check your code for any use of the polyfill.io domain and remove it from your applications. Below, we explain how c/side can detect and block such threats. Get started using c/side for free today and secure yourself. Use our script scanner to check what vulnerabilities your site has.
An open-source project called Polyfill allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user's browser. In February 2024, the domain polyfill.io was bought by Funnull, a Chinese company. Following the sale, the developer, Andrew Betts, urged users on Twitter to remove references to this CDN:
If your website uses https://t.co/3xHecLPXkB, remove it IMMEDIATELY.
— Andrew Betts (@triblondon) February 25, 2024
I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI
The most popular CDN providers have since created their own forks, giving users a safer choice. Most browsers have evolved to make this no longer necessary anyway. A website called Polykill was created to report this and the possible fixes. You can use it to research if a site runs the compromised domain. At the point of writing this article, it has not been updated with reference to this issue.
The domain was found injecting malicious code into devices via websites using cdn.polyfill.io. The malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users and delaying execution. The code is also obfuscated.
In some instances, users receive tampered JavaScript files, which include a fake Google Analytics link https://www.googie-anaiytics.com/gtags.js. This fake link redirects users to various sports betting and pornographic websites, seemingly based on their region. But this being JavaScript, could at any moment introduce new attacks like formjacking, clickjacking, and broader data theft.
A site that we were redirected to in testing this vulnerability:
Between March 7th and 8th 2024, the domain maintainers added a Cloudflare Security Protection header to their site, as can be seen on the Internet Archive. Its purpose was not explained and is not clear.
Cloudflare has since confirmed they didn’t authorize its use.
This attack places an estimated +100k websites at immediate risk. When a once safe domain is embedded in thousands of websites and concealed like JavaScript threats are, it becomes a tempting path for malicious actors.
Presumably, Funnull, the current owner of Polyfill’s domains, created a social account with the same name around the reported time they bought the domains (February 2024). In posts on X (previously Twitter), they accuse Cloudflare, the media, and others of malicious defamation:
Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website,
— Polyfill (@Polyfill_Global) June 26, 2024
but no one would do this as it would be jeopardize our own reputation.
We have already…
Take action now
The Polyfill service itself is still solid. You can host your own version in a safe and controlled environment without issue. The issue lies within the domain cdn.polyfill.io which should immediately be removed from your sites.
Third-party resources are in a very powerful position and thus a high value target for bad actors. CDNs hosting third-party scripts are subject to attack. In 2021 cdnjs itself had certain vulnerabilities exposed.
With c/side, browser-fetched third-party dependencies are no longer made directly to the third party. Instead, they travel through the c/side detection and optimization engine. Making it able to detect highly targeted attacks against a small percentage of users. If anything malicious is detected, we block it before it gets served to the end-user.
Our detection engine is able to spot this change in the actual code and block it from happening. If a site running c/side would also have had the cdn.polyfill.io try to load a tampered script, it would not have been served to the user.
You would have been alerted right away and would’ve known the second this was going on. We also save the script’s code and deobfuscate it so you can check what it does for yourself.
At the time of writing this article, threat feeds do not flag this domain. This underlines the fact that relying solely on those is risky business, as we mentioned here.
Get started using c/side for free and protect yourself today.