Threat: Polyfill.io
Threat Type: Supply-Chain Attack
Polyfill.io Threat Overview and Attack Characteristics
The recent Polyfill.io supply chain attack poses a severe risk to website owners, potentially affecting over 100,000 sites. Polyfill is a widely-used JavaScript library that enhances functionality on older browsers. Recently, the Polyfill.io domain was acquired by Funnull, a Chinese company, which has since used the domain to deliver malicious JavaScript code. This malicious code has been redirecting users to scam, gambling, or pornographic sites.
Polyfill.js is an open-source library designed to add functionality to older browsers, ensuring compatibility across various browser versions. The Polyfill.io CDN service, once community-run, was utilized by over 100,000 legitimate sites, including major organizations such as JSTOR, Intuit, and the World Economic Forum. Since Funnull’s acquisition of the domain, the CDN has been serving malicious code. This code dynamically generates payloads based on HTTP headers, creating multiple attack vectors and potentially compromising over 100,000 websites. It primarily targets mobile devices, injecting malware and redirecting users to undesirable sites.
Key Indicators of Compromise (IoCs) include:
- Typosquatted URLs: URLs mimicking services like Google Analytics.
- Suspicious Scripts: Scripts delivered via the Polyfill.io domain.
- Malicious Redirects: Redirecting mobile users to sports betting sites using fake Google Analytics domains.
These indicators highlight the critical need for heightened vigilance regarding third-party services and CDNs integrated into website infrastructures.
Immediate Actions for Website Owners:
- Remove JavaScript Code Linked to Polyfill.io: Eliminate any code on your website that references the Polyfill.io domain.
- Heightened Awareness: Stay vigilant about all third-party services and CDNs integrated into your website.
- Regular Updates: Regularly check and update dependencies to ensure they come from trusted sources.
Industry Response
In response to this threat, Google has blocked ads for websites using the compromised code to reduce the number of potential victims. Cloudflare has implemented real-time rewrites of the cdn.polyfill.io domain to their own version, and Namecheap has put the domain on hold altogether. Affected site owners have been notified to mitigate the impact.
How zvelo is Protecting Clients from the Polyfill Attack
zvelo’s malicious detection services and cybersecurity team identified the Polyfill.io attack in its early stages and the processes worked as designed, with related indicators of compromise (IOCs) and associated metadata automatically added to the zvelo Malicious Detailed Detection Feed (“MDDF”), enabling immediate protection for zvelo’s MDDF partners and their users against Polyfill.io threats at the base and subdomains, along with IP addresses. As a result, zvelo’s partners and their end users/clients utilizing zveloDB and MDDF are protected from malicious redirects linked to the Polyfill.io attack. The zvelo Cybersecurity Team continues to analyze numerous internal and external trusted data sources for additional Polyfill IOCs. When verified, these IOCs are added to MDDF. This proactive measure ensures that zvelo’s clients remain secure from these specific threats.
This supply chain attack underscores the importance of rigorous security practices for third-party services. Website owners should act promptly to remove any references to Polyfill.io to protect their users from potential threats. By taking these steps, you can safeguard your website and its users from the damaging effects of this malicious activity.
