The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year.

Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the pollyfill.io domain to immediately remove it.

The site offered polyfills - useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers.

Now we're told pollyfill.io is serving malicious code hidden in those scripts, meaning anyone visiting a website using the domain will end up running that malware in their browser.

"The cdn.polyfill.io domain is currently being used in a web supply chain attack," security monitoring biz c/side's Carlo D'Agnolo said in an advisory. "It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users." 

Additionally, we understand Google has started blocking Google Ads for websites that use the impacted code presumably to reduce traffic to them and cut the number of potential victims. Affected site owners have also been alerted by the internet giant.

"We detected a security issue recently that may affect websites using certain third-party libraries," a Google spokesperson told The Register. "To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue."

Sites that embed poisoned scripts from polyfill.io and also bootcss.com may end up unexpectedly redirecting visitors away from the intended location, and send them to malicious sites, Google told advertisers.

More than 100,000 sites are already carrying the hostile scripts, according to the Sansec security forensics team, which on Tuesday claimed Funnull, a Chinese CDN operator that bought the polyfill.io domain and its associated GitHub account in February, has since been using the service in a supply chain attack.

Polyfill.io is used by academic library JSTOR as well as Intuit, World Economic Forum, and tons more.

Since February, "this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," Sansec, an e-commerce security company, warned, adding that any complaints about the malicious activity are quickly vanished from the GitHub repository.

"The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely," Sansec noted.

In fact, Andrew Betts, who created the open source polyfill service project in the mid-2010s, told people earlier this year to not use polyfill.io at all. As we understand it, Betts maintained the project and contributed to its GitHub repo until a few years ago, arguing now that it's really no longer needed.

In February, he said he had nothing to do with the domain name's sale, and presumably the associated GitHub repo, to the Chinese CDN, and urged everyone to remove its code from their webpages as a precaution following the change in ownership.

"If you own a website, loading a script implies an incredible relationship of trust with that third party," he Xeeted at the time. "Do you actually trust them?"

Soon after other popular CDN providers including Fastly, where Betts works today, and Cloudflare created mirrors of polyfill.io so that sites could continue to use the code for the meanwhile without having to load in stuff from a Chinese entity.

"The concerns are that any website embedding a link to the original polyfill.io domain will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare's Sven Sauleau and Michael Tremante said in February.

"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised," they added.

Now that seems to be the case. ®

https://www.theregister.com//2024/06/25/polyfillio_china_crisis/