110,000 sites affected by the Polyfill supply chain attack
A critical exploit just hit the scene, targeting cdn.polyfill.io, a popular domain for polyfills. Over 110,000 websites have been compromised by this supply chain attack, which embeds malware into JavaScript assets.
TL;DR
If your website uses http://polyfill.io/, remove it IMMEDIATELY.
Who does this supply chain attack affect?
The cdn.polyfill.io domain has been hijacked to serve malicious scripts. This means any site relying on this domain for polyfills—a method of adding new functionality to older browsers, like modern JavaScript functions—is at risk. Security researchers at Sansec were the first to identify the many instances of malware payloads, which included redirecting mobile users to a sports betting site,
This supply chain attack can compromise your users' data and the integrity of your applications, and even includes built-in protection against reverse engineering and other clever tricks to prevent you from observing how it affects your end users.
Aikido's Research Team continuously adds new advisories for dependencies which use pollyfill[.]io under the hood, which would leave your applications vulnerable to the supply chain attack. Some notable dependencies include:
- albertcht/invisible-recaptcha (Over 1m installs)
- psgganesh/anchor
- polyfill-io-loader
Since details about the attack were publicly released, Namecheap put the domain name on hold, preventing any requests to the polyfill malware. While that does prevent the spread of malware in the short term, you should still continue with a proper remediation.
How can you fix this vulnerability?
Scan your code now. Aikido’s SAST feature scans your codebase for any instances of cdn.polyfill.io.
Create an Aikido account to get your code scanned
Any findings around this Polyfill supply chain attack will jump to the top, as they have a critical 100 score. Make sure to remove all detected instances of polyfills immediately to prevent yourself and users from this critical supply chain attack.
The good news is that according to the original author, you can likely remove cdn.polyfill.io, or any of the affected dependency packages, without affecting the end-user experience of your application.
No website today requires any of the polyfills in the http://polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.
If you do require Polyfill capabilities, you can tap into recently-deployed alternatives from Fastly or Cloudflare.
.svg)
