My Profile Photo

Sheogorath's Blog

Helpful resources about the polyfill supply-chain attack

on

Today sansec.io published an article about a supply-chain attack against the popular polyfill.io library. polyfill.io is a JavaScript library that provides modern browser features for legacy browsers by implementing backwards compatible versions of the required APIs if possible.

The company “Funnull” bought the domain and the Github account at the beginning this year and a Fastly employee raised valid concern that this domain is embedded, loading JavaScript on thousands of web sites and would be a huge supply chain attack vector. Especially since this includes forms for payment.

Update 2024-06-28

The researchers from Sansec have extended their findings to the following pages:

  • bootcdn.net
  • bootcss.com
  • staticfile.net
  • staticfile.org
  • unionadjs.com
  • xhsbpza.com
  • union.macoms.la
  • newcrbpc.com

This fall in line with the warning Google issued on the topic. Bleeping Computer provides more details on the issue.

This was discovered due to an accidental leak of credentials to a Cloudflare account that seems to cover the operation and various domains. A Pull Request to block these additional domains using µBlock Origin is under way.

Management summary

Some websites and apps use resources from cdn.polyfill.io to improve compatibility with older devices. At the beginning for this year the domain polyfill.io was sold to a new owner. This company called “Funnull” is now accused of injecting malware into resources loaded from cdn.polyfill.io.

The Western Australia Security Operations Centre issued an advisory on the issue. Further Google apparently notified various website owners that utilise cdn.polyfill.io on public websites in combination with Google Ads.

An in-place alternative is the fork hosted by Fastly, but the long term solution is to remove these polyfills or self-host them.

Timeline

I couldn’t find any good article providing a detailed timeline yet.

What websites are affected?

Currently all websites that embed the cdn.polyfill.io. The research article links a helpful website that can show usage on public websites

If you adjust the search query from the link in the article, you can use it to look for your own domains (e.g. example.com):

"cdn.polyfill.io" site:example.com

This should provide you with a quick assessment. However this can result in false-negatives, so don’t trust an empty result.

What clients are affected?

Potentially any web browser. The CDN serves malicious redirects.

Monitor your DNS for suspicious queries to identify devices that might not have affective ways to block polyfill.io like TVs and phones where it might be used by apps.

How can this be mitigated?

The best way to mitigate this long term is to use an adblocker. For µblock Origin I submitted an update to their badware list blocking polyfill.io in your browser.

Further you can add DNS blocks using a local resolver like pi-hole.

To block it locally, you can also add a hosts entry to /etc/hosts or %windir%\system32\drivers\etc\hosts that looks like this: 0.0.0.0 cdn.polyfill.io. Be aware of potential interference by DoH and DoT from your browsers.

Finally, currently the served version is switch back to the Cloudflare mirror (cdn.polyfill.io.cdn.cloudflare.net.), which should serve “good” versions. However, this could change at any point.

The CDN DNS name used during the attack was probably cdn.polyfill.io.bsclink.cn. according to dnshistory.org.