News: 1719359293

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately

(2024/06/26)


The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year.

Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the pollyfill.io domain to immediately remove it.

The site offered [1]polyfills – useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers.

[2]

Now we're told pollyfill.io is serving malicious code hidden in those scripts, meaning anyone visiting a website using the domain will end up running that malware in their browser.

[3]

[4]

"The cdn.polyfill.io domain is currently being used in a web supply chain attack," security monitoring biz c/side's Carlo D'Agnolo [5]said in an advisory. "It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users."

Additionally, we understand Google has started blocking Google Ads for websites that use the impacted code presumably to reduce traffic to them and cut the number of potential victims. Affected site owners have also been alerted by the internet giant.

[6]

"We detected a security issue recently that may affect websites using certain third-party libraries," a Google spokesperson told The Register . "To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue."

Sites that embed poisoned scripts from polyfill.io and also bootcss.com may end up unexpectedly redirecting visitors away from the intended location, and send them to malicious sites, Google [7]told advertisers.

More than [8]100,000 sites are already carrying the hostile scripts, according to the Sansec security forensics team, which on Tuesday claimed Funnull, a Chinese CDN operator that bought the polyfill.io domain and its associated GitHub account in February, has since been using the service in a supply chain attack.

[9]

Polyfill.io is used by academic library JSTOR as well as Intuit, World Economic Forum, and tons more.

Since February, "this domain was caught injecting [10]malware on mobile devices via any site that embeds cdn.polyfill.io," Sansec, an e-commerce security company, [11]warned , adding that any [12]complaints about the malicious activity are quickly vanished from the GitHub repository.

"The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely," Sansec noted.

[13]It may take decade to shore up software supply chain security, says infosec CEO

[14]What happens when the maintainer of a JS library downloaded 26m times a week goes to prison for killing someone with a motorbike? Core-js just found out

[15]Over 170K users caught up in poisoned Python package ruse

[16]In the rush to build AI apps, please, please don't leave security behind

In fact, Andrew Betts, who created the open source polyfill service project in the mid-2010s, told people earlier this year to not use polyfill.io at all. As we understand it, Betts maintained the project and contributed to its GitHub repo until a few years ago, arguing now that it's really no longer needed.

In February, he said he had nothing to do with the domain name's sale, and presumably the associated GitHub repo, to the Chinese CDN, and urged everyone to remove its code from their webpages as a precaution following the change in ownership.

"If you own a website, loading a script implies an incredible relationship of trust with that third party," he [17]Xeeted at the time. "Do you actually trust them?"

Soon after other popular CDN providers including [18]Fastly , where Betts works today, and [19]Cloudflare created [20]mirrors of polyfill.io so that sites could continue to use the code for the meanwhile without having to load in stuff from a Chinese entity.

"The concerns are that any website embedding a link to the original polyfill.io domain will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare's Sven Sauleau and Michael Tremante [21]said in February.

"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised," they added.

Now that seems to be the case. ®

Get our [22]Tech Resources



[1] https://developer.mozilla.org/en-US/docs/Glossary/Polyfill

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnuSZHbrcmxIEr7ctGYsBAAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnuSZHbrcmxIEr7ctGYsBAAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnuSZHbrcmxIEr7ctGYsBAAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://cside.dev/blog/more-than-100k-websites-targeted-in-web-supply-chain-attack

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnuSZHbrcmxIEr7ctGYsBAAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://x.com/spazef0rze/status/1805645015663673670

[8] https://publicwww.com/websites/%22cdn.polyfill.io%22/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnuSZHbrcmxIEr7ctGYsBAAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[10] https://web.archive.org/web/20240624110153/https://github.com/polyfillpolyfill/polyfill-service/issues/2873

[11] https://sansec.io/research/polyfill-supply-chain-attack

[12] https://web.archive.org/web/20240229113710/https://github.com/polyfillpolyfill/polyfill-service/issues/2834

[13] https://www.theregister.com/2024/05/03/it_might_take_a_decade/

[14] https://www.theregister.com/2020/03/26/corejs_maintainer_jailed_code_release/

[15] https://www.theregister.com/2024/03/25/python_package_malware/

[16] https://www.theregister.com/2024/03/17/ai_supply_chain/

[17] https://x.com/triblondon/status/1761852117579427975

[18] https://community.fastly.com/t/new-options-for-polyfill-io-users/2540

[19] https://cdnjs.cloudflare.com/polyfill

[20] https://polykill.io/

[21] https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk

[22] https://whitepapers.theregister.com/



Integrity

tinpinion

Firefox 43 and Chrome 45 started supporting this thing called Subresource Integrity back in 2015 (Edge and Safari joined the party in 2018). Basically, use a specially-formatted hash in the 'integrity' attribute of the 'script' HTML tag. It allows scripts coming from third-party CDNs to be ignored if they're modified.

While I've just learned about it today myself, I can only hope that folks who do this for a living have a bit more of an ear to the ground for such revolutionary advances in security technologies as these.

Re: Integrity

claimed

This is what I come to El Reg for. Thank you, this is a fab tip!

<movement> hmm, all you kernel hackers spending too much time adding
fortunes instead of important stuff :)

- John Levon trying to grasp kernel hacking reality