On 24 June 2024, cybersecurity company Sansec published a security advisory detailing how an associated Polyfill domain (cdn.polyfill[.]io) was being used to insert malicious code in scripts served to mobile end users in a web supply chain attack. Polyfill is a popular open-source JavaScript library embedded in more than 100,000 websites to provide polyfills, a small piece of code (usually JavaScript) that helps provide modern functionality on older browsers.
Notably, Funnull, a Chinese CDN company, became the operator and maintainer of the Polyfill GitHub repository and began providing service for the polyfill[.]io domain in February 2024. Following the transfer to Funnull, the Polyfill developer, Andrew Betts, urged users to remove it immediately.
In at least one case, Sansec observed malicious code redirecting mobile users to a sports betting site using a fake Google analytics domain. The obfuscated code dynamically generates payloads based on HTTP headers and employs defense evasion techniques. It avoids admin users, delays execution if a web analytics service is found, and only redirects on specific mobile devices at specific hours of the day.
Shortly after Sansec published, Google began notifying advertisers about the supply chain attack. Google noted that the issue could redirect visitors away from the intended website without the website owner’s knowledge or permission.
Recommendation
Remove Compromised Domain from Websites
If your website uses polyfill[.]io, we strongly recommend removing it to prevent users from being redirected to malicious sites. If your website requires the use of the Polyfill library and it is not hosted within your own environment, consider leveraging an alternative endpoint from a reputable source. Since the ownership change to Funnull, multiple organisations have created alternatives including Fastly and Cloudflare.
