E-Commerce security firm Sansec unveiled a new supply chain attack affecting the Polyfill JS service when accessed through a number of CDNs hosting it. According to Sansec, over 100K sites were hit. The original author of the service, Andrew Betts, suggested removing Polyfill from any sites using it.
According to Sansec, a malicious actor has taken control of a number of domains to spread malware since at least June 2023. In their first report, only the https://cdn.polyfill.io domain was flagged as being affected:
In February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.
A few days later, Sansec extended the list of domains including bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, and newcrbpc.com.
Since the Polyfill JS service generates polyfill code dynamically based on the browser and the device sending the request, the malware actually deployed to the client may vary too. Sansec detected a specific malware redirecting mobile users to a sports betting site using a pseudo-Google Analytics domain (www.googie-anaiytics.com), but we do not know yet if additional variants do exist.
The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.
The original creator of the service, Andrew Betts, has denied any affiliation with the polyfill.io domain or involvement with its sale. As mentioned, he also suggested to get rid of polyfills in polyfill.io altogether:
No website today requires any of the polyfills in the http://polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.
CloudFlare has released an automatic JavaScript URL rewriting service to rewrite any link to polyfill.io to a CloudFlare-hosted version of polyfill.js.
CloudFlare adds a few details to understand how this supply chain attack came into existence:
Back in February, the domain polyfill.io, which hosts a popular JavaScript library, was sold to a new owner: Funnull, a relatively unknown company. At the time, we were concerned that this created a supply chain risk.
This new supply chain attack raises once again concerns about widespread practices in the Web development world. Betts observed in his X thread that domains serving popular JS scripts are a "huge security concern" since they can access or modify all the websites using them:
If you own a website, loading a script implies an incredible relationship of trust with that third party. Do you actually trust them?
Several commenters on Hacker News pointed at subresource integrity (SRI) checks as a way to address this kind of risks, although admittedly this was not an option for polyfills.io, since it generates dynamic code.
Others hinted at the fact that using a CDN is not justified anymore for most use cases, since after HTTP/2 introduced cache partitioning and stopped limiting concurrent requests to a domain, the idea that a dependency common to different domains would be re-used locally does not hold anymore.