Over 100,000 sites have been impacted in a supply chain attack by the Polyfill.io service after a Chinese company acquired the domain and the script was modified to redirect users to malicious and scam sites.
A polyfill is code, such as JavaScript, that adds modern functionality to older browsers that do not usually support it. For example, it adds JavaScript functions that are not available for older browsers but are present in modern ones.
The polyfill.io service is used by hundreds of thousands of sites to allow all visitors to use the same codebase, even if their browsers do not support the same modern features as newer ones.
Polyfill.io supply chain attack
Today, cybersecurity company Sansec warned that the polyfill.io domain and service was purchased earlier this year by a Chinese company named 'Funnull' and the script has been modified to introduce malicious code on websites in a supply chain attack.
"However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," explains Sansec.
When the polyfill.io was purchased, the project developer warned that he never owned the polyfill.io site and that all websites should remove it immediately. To reduce the risk of a potential supply chain attack, Cloudflare and Fastly set up their own mirrors of the Polyfill.io service so that websites could use a trusted service.
"No website today requires any of the polyfills in the http://polyfill.io library," tweeted the original Polyfills service project developer.
"Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."
Over the past few months, the developer's prediction came true, and the polyfill.io service was CNAMEd to polyfill.io.bsclink.cn, which the new owners maintain.
When developers embedded the cdn.polyfill.io scripts in their websites, they now pulled code directly from the Chinese company's site.
However, website developers found that the new owners were injecting malicious code that redirected visitors to unwanted sites without the website owner's knowledge.
In an example seen by Sansec, the modified script is primarily used to redirect users to scam sites, such as a fake Sportsbook site. It does this through a fake Google analytics domain (www.googie-anaiytics.com) or redirects like kuurza.com/redirect?from=bitget.
However, the researchers say it has been difficult to fully analyze the modified script as it utilizes very specific targeting and is resistant to reverse engineering.
"The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours," continued Sansec.
"It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats."
Currently, the cdn.polyfill.io domain has been mysteriously redirected to Cloudflare. However, as the domain's DNS servers remain unchanged, the owners could easily switch it back to their own domains at any time.
Cybersecurity firm Leak Signal created a website called Polykill.io that lets you search for sites using cdn.polyfill.io and provides information on switching to alternatives.
BleepingComputer contacted Cloudflare to see if they were involved in the change in CNAME records but has not heard back.
Google issues warning to advertisers
Google has begun notifying advertisers about this supply chain attack, warning them that their landing pages include the malicious code and could redirect visitors away from the intended site without the website owner's knowledge or permission.
Google also warns that Bootcss, Bootcdn, and Staticfile have also been found to cause unwanted redirects, potentially adding thousands, if not hundreds of thousands, of sites impacted by the supply chain attacks.
"The code causing these redirects seems to be coming from a few different third-party web resource providers including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org," reads the email from Google.
"Similar reports can be found by searching for "polyfill.io" on Google (https://www.google.com/search?q=polyfill.io).
Google warns that if they find these redirects during regular checks of ad destinations, they will disapprove the related advertisement.
In a Shopify support forum post found by SanSec's Willem de Groot, numerous advertisers reported that Google started disapproving their ads around June 15th when detecting the 'googie-anaiytics' redirect.
Others in the thread claimed that the Polyfill script was behind the issue and that it would need to be removed to comply with Google Ads policies.
Update 6/25/24: When asked for further information about these emails and the supply chain attack, Google sent us the following statement.
"Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries," Google told BleepingComputer.
"To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue."
Update 6/26/24: Added approximate time Google starting disapproving ads associated with this incident and information on the PolyKill.io site.