Security

CSO

If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately

Scripts turn sus after mysterious CDN swallows domain


The polyfill.io domain is being used to infect more than 100,000 websites with malicious code after what's said to be a Chinese organization bought the domain earlier this year, researchers have said.

Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the polyfill.io domain to immediately remove it.

The site offered polyfills – useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers.

Now we're told polyfill.io is serving suspicious code hidden in those scripts, meaning anyone visiting a website using the domain will end up running potentially bad stuff in their browser.

"The cdn.polyfill.io domain is currently being used in a web supply chain attack," security monitoring biz c/side's Carlo D'Agnolo said in an advisory. "It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users." 

Additionally, we understand Google has started blocking Google Ads for websites that use the impacted code presumably to reduce traffic to them and cut the number of potential victims. Affected site owners have also been alerted by the internet giant.

"We detected a security issue recently that may affect websites using certain third-party libraries," a Google spokesperson told The Register. "To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue."

Sites that embed poisoned scripts from polyfill.io and also bootcss.com may end up unexpectedly redirecting visitors away from the intended location, and send them to undesirable sites, Google told advertisers.

More than 100,000 websites are already carrying the hostile scripts, according to the Sansec security forensics team, which on Tuesday claimed Funnull, a CDN operator believed to be Chinese that bought the polyfill.io domain and its associated GitHub account in February, has since been using the service in a supply chain attack.

Though Funnull claims to be based in Slovenia, and it says it has offices around the world, the listed addresses are nonsensical, the website's underlying language is Mandarin, it may actually be located in the Philippines, and there are other odd things about the organization, leading to folks suspecting the biz is actually Chinese in nature.

Polyfill.io is used by academic library JSTOR as well as Intuit, the World Economic Forum, and tons more.

Since February, "this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," Sansec, an e-commerce security company, warned, adding that any complaints about the malicious activity are quickly vanished from the GitHub repository.

"The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely," Sansec noted, adding the code may, for example, redirect "mobile users to a sports betting site using a fake Google analytics domain."

In fact, Andrew Betts, who created the open source Polyfill project in the mid-2010s, told people earlier this year to not use polyfill.io at all. As we understand it, Betts maintained the project and contributed to its GitHub repo until a few years ago, arguing now that it's really no longer needed.

In February, he said he had nothing to do with the domain name and GitHub account's transfer to the mysterious CDN, and urged everyone to remove its code from their webpages as a precaution following the change in ownership.

"If you own a website, loading a script implies an incredible relationship of trust with that third party," he Xeeted at the time. "Do you actually trust them?"

Soon after CDN providers including Fastly, where Betts works today, and Cloudflare created mirrors of polyfill.io so that sites could continue to use the code for the meanwhile without having to load in stuff from a suspected Chinese entity.

"The concerns are that any website embedding a link to the original polyfill.io domain will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare's Sven Sauleau and Michael Tremante said in February.

"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised," they added.

Now that seems to be the case. ®

Editor's note: This article was updated to clarify and include further observations about Funnull. Also, check out our follow-up coverage here.

Send us news
61 Comments

Chinese broadband satellites may be Beijing's flying spying censors, think tank warns

Ground stations are the perfect place for the Great Firewall to block things China finds unpleasant

Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructure

Rock Chrome hard enough and get paid half a million

Google revises Chrome Vulnerability Rewards Program with higher payouts for bug hunters

Yelp accuses Google of being a local search bully in antitrust lawsuit

Chocolate Factory claims rival is trying to revive cases it's already lost

Novel attack on Windows spotted in phishing campaign run from and targeting China

Resources hosted at Tencent Cloud involved in Cobalt Strike campaign

Spamouflage trolls pretend to be American patriots on X, TikTok ahead of US presidential election

No, Abbey is not really a "pure patriotic girl"

Deadline looms: Google Workspace mandates OAuth by September 30

27 days to get your users' third-party apps on Google’s sign-in

Digital wallets can allow purchases with stolen credit cards

Researchers find it's possible to downgrade authentication checks, and shabby token refresh policies

China outspending US, Taiwan, and South Korea combined on chipmaking kit

$25B semiconductor shopping spree leaves rivals in the dust

Microsoft hosts a security summit but no press, public allowed

CrowdStrike, other vendors, friendly govt reps…but not anyone who would tell you what happened

Alleged Karakut ransomware scumbag charged in US

Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and more

Chinese chip equipment maker AMEC sues Pentagon for entity list removal

Plus: China's richest man used to work for Google; Singtel profit jumps; most APAC governments don't have AI governance policies, and more