Google has implemented measures to prevent advertisements for online shops utilizing the Polyfill.io platform after a Chinese firm acquired the domain and altered the JavaScript library (“polyfill.js”) to send users to harmful and fraudulent websites.
According to a report released on Tuesday by Sansec, more than 110,000 websites incorporating the library have been affected by this supply chain breach.
Polyfill is a widely used library that integrates support for contemporary functions in web browsers. Concerns arose earlier in February when a Chinese content delivery network (CDN) company named Funnull acquired the service, as indicated in this notification.
Andrew Betts, the original author of the project, urged website operators to promptly eliminate it, remarking that “none of the polyfills in the polyfill[.]io library are necessary for any present-day website” and that “most enhancements to the web platform are swiftly integrated by all major browsers, with a few exceptions that are generally not polyfillable, such as Web Serial and Web Bluetooth.”
This development has also prompted internet infrastructure service providers like Cloudflare and Fastly to propose alternative access points to help users migrate away from polyfill[.]io.
“The concern is that any website embedding a link to the original polyfill[.]io domain would now depend on Funnull for maintaining and securing the underlying project to prevent the risk of a supply chain breach,” observed Cloudflare researchers Sven Sauleau and Michael Tremante in a statement issued at that time.
“Such an attack could transpire if the foundational third-party provider is compromised or amends the served code in deceitful ways, leading to the compromise of all websites leveraging the tool.”
The Dutch e-commerce security firm reported that the domain “cdn.polyfill[.]io” was discovered to be inserting malicious software that diverts users to online betting and adult content websites.
“The code includes specific safeguards against reverse engineering and exclusively activates on particular mobile devices during specific time periods,” the firm explained. “It also refrains from activation when an administrative user is detected and delays execution upon finding a web analytics service, presumably to avoid detection in analytical reports.”
c/side, based in San Francisco, has also released its own advisory, indicating that the domain administrators included a Cloudflare Security Protection header on their site between March 7 and 8, 2024.
The revelations come after a warning about a severe security vulnerability affecting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that remains largely unaddressed despite patches being available since June 11, 2024.
“On its own, this flaw permits anyone to access private files (such as those containing passwords),” stated Sansec, which nicknamed the exploit chain CosmicSting. “However, in conjunction with the recent iconv bug in Linux, it takes on the form of a security vulnerability that enables remote code execution.”
It has subsequently come to light that external parties can acquire API admin privileges without necessitating a Linux distribution susceptible to the iconv vulnerability (CVE-2024-2961), escalating the severity of the situation.
About Author
