On June 25, 2024, more than 100,000 websites were impacted by a supply chain attack on Polyfill.io after a Chinese company acquired the domain and modified the script to redirect users to malicious sites and scams.
What is a Polyfill?
A Polyfill is code, usually JavaScript, that provides modern functionality to older browsers that don’t support certain native features of the JavaScript standard. It’s crucial for developers to maintain compatibility across a wide range of browsers.
What is Polyfill.io?
Polyfill.io is a service that automates the process of serving polyfills only when necessary. Developers use Polyfill.io to automatically deliver the correct version of JavaScript and other polyfills to browsers depending on their specific capabilities and lack of support for more modern features. This simplifies development and maintains efficiency by ensuring that polyfills are only loaded when needed.
Attack Details
This attack focused on injecting malicious code into the Polyfill.io service, used by hundreds of thousands of sites to provide browser compatibility. The domain was purchased by the Funnull company, which modified the script to inject malware, affecting any site that embedded cdn.polyfill.io in its code.
Immediate Consequences
The immediate impact was significant, with numerous reports of performance and security issues on affected sites. Developers now face the challenge of reviewing and securing their code and dependencies.
Lessons Learned and How to Protect Yourself
In response to the attack, developers and security teams should consider:
- Dependency Auditing: Review and update dependencies to ensure they haven’t been compromised.
- Security Policy Implementation: Use Content Security Policies (CSP) and Subresource Integrity (SRI) to protect your applications.
- Avoiding CDNs: Consider hosting your own scripts or using trusted alternatives to reduce exposure to third-party risks. Since domains can be acquired and modified, it’s important to have more direct control over your resources.
- Continuous Monitoring: Implement early warning systems to detect and respond quickly to suspicious activities.
- Ongoing Education: Stay informed about security best practices and community updates.
Sources
- Sansec alert on the Polyfill.io attack
- Qualys tips for protecting your dependencies
- Software supply chain analysis by FOSSA
Stay up to date with the latest news and developments in technology. Feel free to connect with me on Twitter for the latest news and insights.