Update July 2, 2024: a new rule written by the Semgrep team now clarifies that the malware is offline, so this is a post-incident fix, and lets you replace uses of polyfill.io with Cloudflare’s alternative.
Update June 28, 2024: the polyfill.io domain has been taken down by the domain’s registrar, Namecheap. This means websites using that polyfill CDN will no longer be able to inject malware through sites that embed it, but the polyfill functionality will still be broken on those sites. Continue reading below for more on the polyfill supply chain attack and how to replace use of polyfill in application code.
Over 100k websites use a CDN service with the domain polyfill.io. A malicious actor has purchased the domain and is now using it to deliver malware. Check to see if your source code is affected by running Semgrep code search across all your repositories to detect its presence.
What is polyfill?
A polyfill refers to code that adds modern functionality to older web browsers that don’t support that functionality natively.
In February 2024, the creator of the original polyfill service tweeted:
“No website today requires any of the polyfills in the polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.”
“If your website uses http://polyfill.io, remove it IMMEDIATELY.
I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale.”
According to the security firm Sansec, “in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.”
To mitigate this widespread attack, Google is alerting advertisers affected by the malicious code on their landing pages that could redirect visitors. They've also identified other CDNs like Bootcss, Bootcdn, and Staticfile as similar security risks, impacting thousands of sites.
How the exploit works
With control over the polyfill.io domain, the attackers can inject any JavaScript code into websites that rely on this service. Initial reports suggest the actor has been leveraging this to redirect users to unintended websites. The code only operates during certain times of the day and on devices meeting certain conditions. More details are available in Sansec’s post about the attack.
Remediation
The Semgrep Security Research Team wrote a Semgrep rule to detect the use of polyfill.io in your websites and applications. You can run the rule across all your repositories using Semgrep code search. Use this rule to replace uses of polyfill.io with Cloudflare’s alternative.
Note: Semgrep code search is in beta and currently only available for Semgrep customers hosting code on GitHub.com
If your website or application still requires polyfill.io, replace those uses with Cloudflare’s alternative endpoint (see their post). Cloudflare has fully implemented polyfill.io functionality and deployed it to https://cdnjs.cloudflare.com/polyfill/.
The underlying bundle link is:
For minified: https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js
For unminified: https://cdnjs.cloudflare.com/polyfill/v3/polyfill.js
Cloudflare’s implementation intends to be identical to the original polyfill.io site, and Fastly also published an alternative.
Conclusion
As CDNs for software packages decline in popularity, expect to see more incidents like this, highlighting the risks associated with legacy software dependencies. Stay informed and protect your projects from potential vulnerabilities.
