Supply chain attacks in the field of web security are a growing concern, as they can have severe consequences for e-commerce sites and their users. One recent example of such an attack involves the popular JavaScript library Polyfill.io.
Polyfill.io is a library that enables support for modern functions in web browsers. However, concerns arose earlier this year when the domain was acquired by Funnull, a Chinese content delivery network (CDN) company. The purchase raised questions about the security of the library and its potential for misuse.
According to a report by Sansec, more than 110,000 sites that embed the Polyfill.io library were impacted by a supply chain attack. The Chinese company modified the library’s JavaScript file, called “polyfill.js,” to redirect users to malicious and scam sites. This type of attack is particularly concerning because it targets not just a single website, but multiple sites that rely on the library.
The original creator of Polyfill.io, Andrew Betts, responded to the attack by urging website owners to immediately remove the library. He stated that “no website today requires any of the polyfills in the polyfill[.]io library” and that most modern browsers already support the necessary functions. Betts also noted that some features, such as Web Serial and Web Bluetooth, cannot be polyfilled and therefore do not require the library.
The acquisition of Polyfill.io by Funnull also led web infrastructure providers Cloudflare and Fastly to offer alternative endpoints for users to move away from the compromised library. The concern is that relying on Funnull to maintain and secure the library poses a significant risk of a supply chain attack. If the Chinese company were to be compromised or alter the code in nefarious ways, all websites using the library would be at risk.
Sansec, a Dutch e-commerce security firm, discovered that the domain “cdn.polyfill[.]io” has been injecting malware that redirects users to sports betting and pornographic sites. The injected code has various protections in place, such as only activating on specific mobile devices at certain hours and detecting and not activating when an admin user is present. The code also delays execution when a web analytics service is detected, likely to avoid detection.
In response to these findings, San Francisco-based c/side issued its own alert, noting that the domain maintainers added a Cloudflare Security Protection header to their site. This implies that the attackers are actively taking steps to protect their malicious activities and avoid detection.
These supply chain attacks on web security are particularly concerning when coupled with other vulnerabilities. For example, a critical security flaw (CVE-2024-34102) affecting Adobe Commerce and Magento websites allows anyone to read private files, including those containing passwords. When combined with a recent Linux bug (CVE-2024-2961) related to the iconv library, this flaw becomes even more severe, potentially leading to remote code execution.
It is crucial for website owners and developers to stay vigilant and regularly update their systems to address known vulnerabilities. In addition, reliance on third-party libraries and services should be carefully evaluated, considering their security track record and potential for supply chain attacks. Ongoing monitoring and collaboration with security professionals can help identify and mitigate risks associated with these types of attacks.
In conclusion, the supply chain attack on the Polyfill.io library serves as a reminder of the importance of web security and the potential risks associated with third-party dependencies. Website owners must remain proactive in their security measures and take steps to protect their users from any potential vulnerabilities that could lead to compromise and data breaches.
Source link
