JavaScript Supply Chain Attack: Polyfill.io Redirects Users to Scam Sites After Chinese Acquisition
Over 100,000 websites have been impacted by a supply chain attack involving the Polyfill.io service after a Chinese company acquired the domain and modified the script to redirect users to malicious and scam sites.
A polyfill is a JavaScript code that adds modern functionality to older browsers. It allows sites to use advanced features even on browsers that do not natively support them.
Supply Chain Attack
Polyfill.io is a widely used service that helps websites ensure compatibility across different browsers. However, cybersecurity company Sansec has warned that the service was purchased earlier this year by a Chinese company named Funnull, which has since modified the script to introduce malicious code, causing a widespread supply chain attack.
“In February this year, a Chinese company bought the domain and the GitHub account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io,” explained Sansec.
Upon the acquisition of Polyfill.io, the original project developer advised website owners to remove it immediately to mitigate the risk of a supply chain attack. In response, Cloudflare and Fastly set up their own mirrors of the Polyfill.io service to provide a trusted alternative.
“No website today requires any of the polyfills in the library,” tweeted the original Polyfills service project developer. “Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can’t be polyfilled anyway, like Web Serial and Web Bluetooth.”
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Sansec found that the new owners of Polyfill.io were injecting malicious code that redirected users to scam sites without the knowledge of the website owners. For example, users were redirected to fake sportsbook sites through domains like www.googie-anaiytics.com and kuurza.com/redirect?from=bitget.
The malicious script employs specific targeting measures and is resistant to reverse engineering. It activates only on certain mobile devices at specific times, avoids execution when detecting admin users, and delays execution when a web analytics service is present to avoid detection.
Currently, the domain cdn.polyfill.io has been redirected to Cloudflare’s mirror. However, as the domain’s DNS servers remain unchanged, the owners could revert it to their own domains at any time. BleepingComputer contacted Cloudflare for comment but has not received a response.
Google Issued a Warning
In light of this attack, Google has begun notifying advertisers, warning them that their landing pages may include the malicious code, potentially redirecting visitors away from the intended site without permission. Google has also flagged other services, such as Bootcss, Bootcdn, and Staticfile, as sources of similar redirects, potentially affecting thousands more sites.
Google letter to advertisers about supply chain attack
Source: SanSec
Trending: Offensive Security Tool: Freeway
“The code causing these redirects seems to be coming from a few different third-party web resource providers including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org,” reads Google’s email to advertisers.
Google warns that if these redirects are found during regular checks, the related advertisements will be disapproved.
In response to inquiries, Google issued the following statement: “Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries. To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue.”
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
