Time: 2024-06-27
Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites. More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report. Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull. The original creator of the project, Andrew Betts, urged website owners to immediately remove it, adding "no website today requires any of the polyfills in the polyfill[.]io library" and that "most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."
The development also prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to help users move away from polyfill[.]io. The Dutch e-commerce security firm said the domain "cdn.polyfill[.]io" has since been caught injecting malware that redirects users to sports betting and pornographic sites. San Francisco-based c/side has also issued an alert of its own, noting that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024. The findings follow an advisory about a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues to remain largely unpatched despite fixes being available since June 11, 2024.
The polyfill.io domain is being used to infect more than 100,000 websites with malware after what's said to be a Chinese organization bought the domain earlier this year. Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the polyfill.io domain to immediately remove it. The site offered polyfills useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. Now we're told polyfill.io is serving malicious code hidden in those scripts, meaning anyone visiting a website using the domain will end up running that malware in their browser. Google has started blocking Google Ads for websites that use the impacted code presumably to reduce traffic to them and cut the number of potential victims. Affected site owners have also been alerted by the internet giant. More than 100,000 sites are already carrying the hostile scripts, according to the Sansec security forensics team, which on Tuesday claimed Funnull, a CDN operator believed to be Chinese that bought the polyfill.io domain and its associated GitHub account in February, has since been using the service in a supply chain attack. Polyfill.io is used by academic library JSTOR as well as Intuit, World Economic Forum, and tons more.
"The cdn.polyfill.io domain is currently being used in a web supply chain attack," security monitoring biz c/side's Carlo D'Agnolo said in an advisory. "It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users." Additionally, we understand Google has started blocking Google Ads for websites that use the impacted code presumably to reduce traffic to them and cut the number of potential victims. Affected site owners have also been alerted by the internet giant. The finding that the domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io, Sansec, an e-commerce security company, warned, adding that any complaints about the malicious activity are quickly vanished from the GitHub repository. In February, he said he had nothing to do with the domain name's sale, and presumably the associated GitHub repo, to the mysterious CDN, and urged everyone to remove its code from their webpages as a precaution following the change in ownership.
Business
