Polyfill Supply Chain Attack Hits 100K Websites
Over 100,000 websites fell victim to a recent web supply chain attack through the Polyfill JavaScript library. This incident underscores significant vulnerabilities in third-party script integration across the web.
This article covers what Polyfill does, why it’s now a threat, and the steps you should take if your website relies on it.
What are Polyfills and Polyfill[.]io?
Polyfills are JavaScript codes designed to enable modern browser functionalities in older browsers that lack support. Polyfill[.]io, originally an open-source project, served as a popular service to deliver these polyfills dynamically based on the user’s browser capabilities.
Polyfill Supply Chain Attack
Earlier this year, the Polyfill[.]io domain was purchased by a Chinese company called Funnull. Subsequently, malicious JavaScript code was injected into the Polyfill library hosted on CDNs. This malicious code, embedded within scripts from domains like polyfill[.]io, bootcdn[.]net, bootcss[.]com, and others, exploited users’ browsers to perform various malicious activities.
These included redirecting users to phishing sites, stealing sensitive information, and other malicious activities, akin to stored Cross-Site Scripting (XSS) attacks.
The attack had widespread consequences, exploiting the trust Polyfill had established among web developers globally. Compromised domains, including deceptive variations like googie-anaiytics[.]com, posed significant risks to user security.
In response, immediate actions were taken by domain registrars, content delivery networks, and tech companies like Google:
- Malicious domains were promptly suspended.
- Content delivery networks replaced Polyfill links with secure alternatives.
- Google blocked ads associated with compromised domains.
How to Defend against Supply Chain Attacks?
To secure your website from supply chain attacks, such as the recent Polyfill incident, take these immediate actions:
- Remove Polyfill[.]io References: Scan your website’s code for any mentions of Polyfill[.]io and delete them promptly. This includes checking HTML, JavaScript, and other scripts that may be loading from external sources.
- Watch for Fake URLs: Be vigilant against URLs that mimic popular services like Google Analytics (e.g., “googie-anaiytics[.]com”). Verify the legitimacy of all URLs used on your site.
- Check for Suspicious Scripts: Regularly inspect scripts delivered via the Polyfill domain for any signs of tampering or unauthorized changes.
- Monitor Redirects: Keep an eye out for unexpected redirects that send users to unrelated or malicious sites. Immediately investigate and resolve any suspicious redirects.
- Stay Updated: Ensure all software, libraries, and dependencies on your website are regularly updated from trusted sources. This helps mitigate vulnerabilities that attackers could exploit.
- Enhance Vigilance: Maintain ongoing monitoring of third-party services and CDNs integrated into your website. Look for any unusual activity or anomalies that could indicate a security breach.
AppTrana WAAP Approach to Mitigate Attack
AppTrana WAAP has coverage to prevent the Polyfill supply chain attack. However, given the high possibility of false positives, customers are advised to write to support so that false positives are removed before applying the policies to the customer.
Don’t let third-party JavaScript compromise your data. Discover how to protect against client-side attacks that target vulnerabilities in web browsers.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.