A recent cybersecurity threat has emerged through the compromise of the cdn.polyfill.io domain, affecting over 100,000 websites that use this domain to deliver JavaScript code. This attack, which has been identified as a Web supply chain attack, was discovered by security researchers who found that malicious code was being injected into scripts served from this domain. The attack involves dynamically generated payloads that redirect users to pornographic and sports-betting sites, posing serious risks such as data theft, clickjacking, and other malicious activities.
The origin of this malicious activity can be traced back to the sale of the polyfill.io domain earlier this year to a Chinese organization. Security experts are warning website owners to be vigilant and check their code for any references to the compromised domain in order to protect their sites and users. The nature of this attack, with its wide reach across numerous websites, puts over 100,000 websites at immediate risk, making it a lucrative target for cybercriminals.
Researchers have uncovered that the compromised domain is injecting obfuscated code that evades detection and targets specific mobile devices. Users may unknowingly receive tampered JavaScript files that lead them to fake Google Analytics links, redirecting them to inappropriate websites based on their location. This manipulation of JavaScript code opens up the possibility of various attacks like formjacking, clickjacking, and data theft, highlighting the severity of this supply chain attack.
Polyfill users were previously warned about the potential risks associated with the polyfill.io domain after it was sold to a Chinese company earlier in the year. Despite warnings and advisories, the malicious activity continued, prompting the development of an awareness campaign through a site called Pollykill. This site educates users on the vulnerabilities in JavaScript supply chains and provides alternative solutions to using compromised domains for JavaScript delivery.
In response to this threat, immediate action is required to address the security implications of third-party resources, especially those hosting scripts that are widely used across websites. The Polyfill service itself remains secure, but website administrators must remove any references to the compromised domain from their sites. Threat feeds currently do not flag the domain, emphasizing the need for proactive measures to safeguard websites and users.
To mitigate the risks associated with malicious JavaScript injections, developers are advised to conduct thorough searches for instances of the compromised domain in their source code. Useful resources provided by the developer community, such as polyfill-fastly.net and polyfill-fastly.io, offer drop-in replacements for the affected domain. Moreover, Fastly’s fork of the open source code enables users to self-host the service and maintain complete control over the code delivered to users.
In conclusion, the recent supply chain attack through the compromised cdn.polyfill.io domain serves as a reminder of the persistent threats faced by websites and their users. By taking proactive steps to remove references to vulnerable domains and implementing secure alternatives, website owners can safeguard against potential cyber threats and ensure the integrity of their online platforms.