Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library (“polyfill.js”) to redirect users to malicious and scam sites.
More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.
Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull.
The original creator of the project, Andrew Betts, urged website owners to immediately remove it, adding “no website today requires any of the polyfills in the polyfill[.]io library” and that “most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can’t be polyfilled anyway, like Web Serial and Web Bluetooth.”
The development also prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to help users move away from Polyfill.io.
“The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack,” Cloudflare researchers Sven Sauleau and Michael Tremante noted at the time.
“Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised.”
The Dutch e-commerce security firm said the domain “cdn.polyfill[.]io” has since been caught injecting malware that redirects users to sports betting and pornographic sites.
“The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours,” it said. “It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.”
San Francisco-based c/side has also issued an alert of its own, noting that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024.
The findings follow an advisory about a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues to remain largely unpatched despite fixes being available since June 11, 2024.
“In itself, it allows anyone to read private files (such as those with passwords),” Sansec said, which codenamed the exploit chain CosmicSting. “However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution.”
It has since emerged that third-parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making it an even more severe issue.
