IONIX Maps Impact of Customer Polyfill Supply Chain Attack – See if You’re Impacted

The Sansec.io research team warned today that a script from the polyfill.io domain and service, which was purchased earlier this year by a Chinese company named ‘Funnull’, has been modified to introduce malicious code on websites in a supply chain attack. Currently over 100,000 sites could be impacted.

Polyfill.io is a very popular JavaScript library and service which adds support for newer JavaScript functionality or browser APIs to older browsers that do not support them. Websites typically use Polyfill including a JavaScript tag in their HTML. This allows the Polyfill JavaScript to do anything to that page, including silently intercepting a user’s actions, embedded or overwriting content…

IONIX has taken action to detect all of our customer assets affected by this critical supply chain vulnerability currently tracked with CVE-2024-38526. All IONIX customers can reach out to their customer success manager who can pinpoint the impacted assets and the recommended remediation actions.

How IONIX Helps in a Supply Chain Attack like Polyfill

Our security research team maps publicly facing assets and the dependencies between those assets – we refer to this as our “Connective Intelligence”. By querying the graph of connected assets we can find many companies impacted by this supply chain attack, some of whom are connected to our customers and some not. Impact for our customers was identified in minutes of our research team seeing confirmation of exploits.

“The hardest thing to detect from the polyfill.io script attack is the supply chain impact, because there are few ways to analyze parts of the attack surface that you don’t own and manage. IONIX very quickly saw the potential that this threat poses for vendor-managed and digital supply chain assets, and in the last day have examined tens of thousands of assets that are connected to our customers worldwide. We can confirm from our research team that more than 50% of enterprises, by virtue of the size of their attack surface – are either directly or though their supply chain – impacted by this polyfill threat,” said Nethanel Gelertner, CTO and co-founder of IONIX.

Next Steps for Those Impacted

UPDATE June 27: Cloudfare has implemented real-time rewrites of cdn.polyfill.io to their own version. A little later, Namecheap has put the domain on hold altogether, which removes any current risk. However, you are still recommended to remove any polfill.io references in your code.

After the sale of Polyfill.io, the original developer, who never owned the site, warned website owners to remove it due to potential security risks. Or, to mitigate risks, Cloudflare and Fastly created their own alternatives to the service – links can be found here.

The malicious script injected by Funnull includes sophisticated techniques such as specific targeting of mobile devices and avoiding activation when an admin user is detected or when web analytics services are present. This makes it challenging to analyze and detect.

Google has started warning advertisers about this supply chain attack, notifying them that their landing pages may contain the malicious code, potentially redirecting visitors away from legitimate sites. Other services like Bootcss, Bootcdn, and Staticfile have also been flagged for similar issues, suggesting a widespread impact across thousands of websites.

The Polyfill.io supply chain attack highlights significant security concerns in the use of third-party services and underscores the importance of vigilance and deeper understanding of the digital suppy chain’s impact on your critical assets.

Reach out to us at IONIX if you’d like a free scan to see if you have any impacted assets, even and especially assets that are not directly managed by your organization.

More info can be found here:

• https://sansec.io/research/polyfill-supply-chain-attack
• https://nvd.nist.gov/vuln/detail/CVE-2024-38526
• Polyfill – MDN Web Docs Glossary: Definitions of Web-related terms | MDN
• https://developer.mozilla.org/en-US/docs/Glossary/Polyfill
• Is it true that polyfill.io hosting is going to be owned by a Chinese company? · Issue #2834 · polyfillpolyfill/polyfill-service