Early in February 2024, a massive supply chain attack occurred after the company Funnull acquired the domain of the popular Polyfill CDN service (polyfill.io) and its associated GitHub account. Polyfill is a widely used JavaScript library that ensures compatibility of modern JavaScript features in older browsers, such as screen resolution handling and media queries.

Soon after ownership changed hands, the domain began injecting malicious JavaScript code into over 110,000 websites that embedded scripts from cdn.polyfill.io. These sites, which included phishing and malicious advertising sites, impacted mobile devices by redirecting them to various scam sites. Several libraries and domains beyond cdn.polyfill.io were impacted. This suspicious behavior led to security researchers at Sansec discovering the severe vulnerability on June 25, 2024.

Additionally, CVE-2024-38526 (which affects the pdoc package), has been published in connection with the vulnerability.

The vulnerability is considered a serious threat because it involves malicious code injection that redirects users to harmful sites or downloads malicious files. This type of attack can lead to data theft, malware distribution, and unauthorized access to sensitive information.

In this blog, we will cover an in-depth overview of the polyfill supply chain vulnerability, how it works, remediation strategies, similar case studies, and how to use FOSSA’s tools to detect and mitigate such vulnerabilities.

Polyfill Vulnerability Background and Impact

After Funnull bought the domain, Andrew Betts, the original developer of Polyfill.io, warned users against using the service. Betts had no control over the domain's new ownership and suspected potential foul play. His suspicions were echoed by developers, such as Amy Blankenship on LinkedIn, who also urged others to stop using Polyfill.io from CDN. 

The exploit primarily impacts websites embedding scripts from cdn.polyfill.io and other associated domains such as bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, and newcrbpc.com. Environments utilizing these scripts, especially those not implementing strict content security policies (CSPs) or subresource integrity (SRI), are vulnerable. Websites using secure mirrors or alternative polyfill libraries are not impacted.

How the Polyfill Supply Chain Attack Works

The Polyfill supply chain attack begins when a user visits a website that relies on the Polyfill service. This service was traditionally used to ensure older browsers could support modern JavaScript functionalities by requesting the polyfill.js file from cdn.polyfill.io. However, after Funnull acquired the domain, the code was tampered with and embedded with malicious scripts.

Here’s a breakdown of how the attack unfolds:

  1. Initial request: When a user visits a website that utilizes Polyfill, the site requests the polyfill.js file from cdn.polyfill.io to enhance browser compatibility.
  2. Code modification: Unfortunately, under Funnull's control, this JavaScript file has been altered to contain malicious code.
  3. Malware injection: As the compromised script is loaded from cdn.polyfill.io, it is loaded into the context of the website, without the website owner’s knowledge.
  4. Execution of compromised script: Once the user's browser loads the compromised page, it executes the malicious polyfill.js script, giving the malicious script access to any data on that page or any data that is accessible from the context of that page.

How the Malicious Code Avoids Detection

The malicious code in the Polyfill.io vulnerability is cunningly designed to trigger only under specific conditions, particularly when accessed from mobile devices. This stealthy behavior allows it to evade detection by not executing when web analytics tools are present or when an admin user is logged in, making it challenging for security systems and website administrators to catch. 

Additionally, the code cleverly adapts to its environment by dynamically generating payloads based on the HTTP headers it receives, tailoring its attack methods to the situation at hand. This adaptability makes the code especially dangerous as it can modify its approach based on the context in which it operates.

List of Impacted Libraries and Domains

Impacted libraries and domains beyond cdn.polyfill.io, include:

  • bootcdn.net
  • bootcss.com
  • staticfile.net
  • staticfile.org
  • unionadjs.com
  • xhsbpza.com
  • union.macoms.la
  • newcrbpc.com

Additionally, indicators of compromise (IoCs) for checking in logs include:

  • https://www.googie-anaiytics.com/html/checkcachehw.js
  • https://www.googie-anaiytics.com/ga.js
  • https://cdn.bootcss.com/highlight.js/9.7.0/highlight.min.js
  • https://newcrbpc.com/redirect?from=bscbc
  • https://kuurza.com/redirect?from=bitget
  • https://union.macoms.la/jquery.min-4.0.2.js

Polyfill Mitigation and Responses

On June 27, 2024, security researchers reported the malicious use of the Polyfill.io domain to Namecheap. Immediately after receiving these reports, Namecheap announced it had removed the Polyfill.io domain due to the injection of malicious JavaScript code into websites.

Additionally, Cloudflare, Google, and Fastly mitigated the impact by providing safe mirrors for the scripts to prevent further exploitation. Google also took proactive steps by informing advertisers about the possible contamination of their landing pages with malicious scripts and urging them to remove any references to cdn.polyfill.io to prevent further risks. This highlights the serious nature of the attack and the necessity for ongoing vigilance in monitoring and updating third-party scripts.

Despite these measures, new findings from Censys revealed that more than 380,000 hosts were still embedding the malicious Polyfill script as of July 2, 2024. It is unclear exactly how much damage has been done, but the extensive use of the compromised script indicates a potentially significant impact.

Finding and Fixing the Polyfill Supply Chain Attack

FOSSA customers can determine whether they’re using the pdoc package and are impacted by the Polyfill CVE CVE-2024-38526 in several ways.

  1. Use our Package Index feature: Navigate to Package Index, search for “CVE-2024-38526,” and any impacted packages or projects will appear in the search results.
  2. Use Global Security Issues and search for the CVE.
  3. Use Package Index to search for pdoc, the package affected by the CVE. It will show in the results if it exists within your environment.

You can then action on the package and project based on the results. Doing a version bump to pdoc 14.5.1 will generally be a recommended course of action.

Alternatively, if you’re using Polyfill.io directly, make sure to remove references to cdn.polyfill.io from your website. You can choose to replace them with safe mirrors (from Google, Cloudfare, and Fastly) referenced in the previous section.

Feel free to reach out to our team for more information about how FOSSA Vulnerability Management can help your organization manage software supply chain security.

Editor's Note: FOSSA's Product Team also contributed to this article.