Malicious javascript injected into 100k websites

TLDR: A popular JavaScript library named Polyfill.js has been caught conducting supply chain attacks through its cdn and library by injecting malicious code into pages delivered to mobile users. Researchers recommend website owners remove any reference to Polyfill.js from their website immidiately to avoid further damages from attack. It is estimated that more than 110,000 sites have been affected due to this library.
Polyfill.js Introduction
Polyfill.js is a JavaScript library used to provide modern functionality on older browsers that do not natively support certain JavaScript features. It allows web developers to use newer JavaScript features and APIs without worrying about compatibility issues with older browsers. It is used by many famous websites to enrich their functionalities. According to an estimate, more than 100K sites embed it using the cdn.polyfill.io
domain. Some of the notable users of this library are Intuit, JSTOR and World Economic Forum.
Detail of the Supply Chain Attack by Polyfill
A Chinese company bought the domain and the Guithub account of this library on February, 2024. Since then, this domain was caught injecting malware on mobile devices via any site that embeds polyfill.js code using cdn.polyfill.io
domain cdn. The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely high. Sansec decoded one particular malware which redirects mobile users to a sports betting site using a fake Google analytics domain (www.googie-anaiytics.com)
. The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.
Should BatchNepal Cutomers Worry ?
Although we don't use polyfill.js in any of our client's and personal websites, its still recommended to our customers if they manually added the library. In such case remove the script immidiately and contact us for immidiate help. We will research and mitigate risks created by the library. Any npm packages that reference to polyfill.js library are recommened to remove the links of the polyfill domain and check the code.
The original polyfill author recommends to not use Polyfill at all, as it is no longer needed by modern browsers anyway. As of now, both Fastly and Cloudflare have put up trustworthy alternatives, if you still need it.
Recent Updates Regarding Polyfill.js
Cloudflare has implemented real-time rewrites of cdn.polyfill.io to their own version. A little later, Namecheap has put the domain on hold altogether, which eliminates the risk for now. However, you are still recommended to remove any polyfill.io references in your code.
Google has already started blocking Google Ads for eCommerce sites that use polyfill.io.
Conclusion
We recommend everyone to remove the polyfill.js library from their project or use their alternatives. Most browsers don't need polyfill due to packages like babel and core-js. We also recommend cross checking any packages or cdn library code before using them. From now these domains will be kept in warning zones and will be treated as malicious actors by BatchNepal Cybsersec Team.
bootcdn.net
, bootcss.com
, staticfile.net
, staticfile.org
,
unionadjs.com
, xhsbpza.com
, union.macoms.la
, newcrbpc.com