A domain used by more than 100,000 websites to improve JavaScript compatibility with older browsers has been compromised, resulting in end users being redirected to sites with pornographic and controversial content.
According to the security research team at Sansec, polyfill.js is an open-source code library designed to allow older browsers to display modern JavaScript features. More than 100,000 sites have embedded the open-source code using the cdn.polyfill.io domain, which has been compromised as part of a widespread web supply chain attack.
The once-safe domain is now injecting malicious code into scripts served to end users, redirecting them to other websites. Researchers say that because the malware is JavaScript code, more attack vectors are likely to arise.
The news comes just months after the domain and its associated GitHub account were purchased by a Chinese firm called Funnull. At the time, Andrew Betts, the developer of the software, quickly sounded the alarm.
“If your website uses polyfill.io, remove it IMMEDIATELY,” Betts wrote in a February 2024 social media post.
BARR’s cybersecurity consulting team shared their recommendations for organizations on how to respond to this incident and mitigate future risk.
“Organizations should determine whether polyfill.io is used on any company websites. If so, they should implement secure alternatives,” said Mitch Evans, BARR’s director of cybersecurity consulting. “If any organization determines an incident occurred due to this issue, security teams should enact their incident response plan and follow the procedures defined by that plan.”
“It is crucial to manage supply chain risk by keeping an inventory of third-party services and libraries, evaluating the criticality of services, and using integrity checks or Subresource Integrity (SRI) to ensure the authenticity of dependencies,” said Larry Kinkaid, manager of cybersecurity consulting at BARR. “Additionally, enhance your monitoring and detection by implementing controls to detect unusual activity and potential breaches.”
Kinkaid added, “These are all preventative and detective controls, but don’t discount your ability to respond and tailor your Incident Response Plan (IRP) to address supply chain attacks if it doesn’t already.”
Does your organization need assistance with managing third-party risk in the software supply chain? Contact us today to learn how we can help.