Hijacked Polyfill Supply Chain Attack Impacts More Than 110,000 Websites


Hijacked Polyfill Supply Chain Attack Impacts More Than 110,000 Websites

After a Chinese business purchased the domain and updated the JavaScript library known as “polyfill.js” to send users to harmful and scam websites, Google has taken measures to restrict advertisements for e-commerce websites that use the Polyfill.io service.

Approximately 110,000 websites that embed the library are affected by the supply chain attack, according to a report that was released by Sansec on Tuesday.

Polyfill is a well-known library that, when integrated into web browsers, provides support for certain contemporary functions. Concerns were voiced at the beginning of February of this year after the content delivery network (CDN) provider Funnull, which is based in China, purchased the company.

It was Andrew Betts, the original creator of the project, who urged website owners to immediately remove it. He added that “no website today requires any of the polyfills in the polyfill[.]io library.” Additionally, he stated that “most elements stated to the web platform are readily accepted by all major browsers, with a few exceptions that usually can’t be polyfilled anyway, like Web Serial and Web Bluetooth.”

Additionally, as a result of this development, web infrastructure companies Cloudflare and Fastly have begun offering alternate endpoints in order to assist consumers in transitioning away from polyfill.io.


Researchers from Cloudflare named Sven Sauleau and Michael Tremante made the observation at the time that “the issues are that any website embedding a link to the original polyfill[.]io domain will now be dependent on Funnull to maintain and secure the underlying project in order to avoid the risk of a supply chain attack.”

“Such an attack could happen if the underlying third party gets hacked or changes the code that is delivered to end users in malicious methods, leading to, consequently, all websites employing the tool being compromised.”

Since then, the domain “cdn.polyfill[.]io” has been discovered to be injecting malware that redirects users to pornographic and sports betting websites, according to the Dutch e-commerce security firm.

“The code has particular safeguards against reverse engineering, and only activates on specific mobile devices at specific hours,” according to the announcement. The detection of an administrative user does not cause it to activate either. Additionally, it takes longer to execute when a web analytics service is discovered, most likely so that it does not appear in the statistics.

San Francisco-based c/side has also issued an alert of its own, pointing out that the domain maintainers applied a Cloudflare Security Protection header to their website between March 7 and March 8, 2024.  In this alert, the developer, Andrew Betts, urged users on Twitter to remove references to this CDN after the sale:


Following the publication of an alert regarding a major security hole that affects websites for Adobe Commerce and Magento (CVE-2024-34102, CVSS score: 9.8), discoveries have been discovered. Despite the fact that remedies have been available since June 11, 2024, the flaw continues to be mainly unpatched.

“In itself, it enables anyone to read private files (such as those with passwords),” Sansec added, referring to the attack chain that was nicknamed CosmicSting. “However, combined with the recent icons bug in Linux, it turns into the security nightmare of remote code execution.”

It has recently come to light that third parties are able to get API admin access without the need for a Linux version that is vulnerable to the icons issue (CVE-2024-2961), which indicates that the severity of the problem has increased.

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


Huge BSNL Data Leak Reveals Millions to Financial Fraud and SIM Card Cloning As Per A Threat Report

Canara Bank : X Handle “Hacked” Hacker Changes Username

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?