Polyfill.io Library Supply Chain Attack Impacting Over 100k Sites and Customers

Posted on Edited on

Quick Report

A supply chain attack has been discovered in the popular javascript library, Polyfill.io, which has impacted over 100,000 websites and their customers. The attack was carried out by injecting malicious code into the source code, allowing the attackers to steal sensitive information from users.

The domain and service were purchased by a Chinese company named Funnull and modified the source code to inject malicious code in websites using the script. Polyfill is a javascript library that adds modern functionality found in Chrome, Mozilla and Webkit based browsers to older browsers. This allows developers to write code that works across all browsers.

The issue was brought to attention by a cybersecurity company called Sansec. The original developer also hinted the fact he never owned the domain, code repo and its sale.

Fortunately, Cloudflare and Fastly CDN quickly reverted to older version which did not have malicious script injection attacks and notified its customers. They also made the CDNs available for free and premium users.

Even Google started sending email notification to affected customers and its advertisers.

Source(s)

  • Archived Polyfill.io github PR link
  • Bleeping Computer Article