Steps have been taken by Google to block ads for e-commerce sites that use the Polyfill.io service after the domain was acquired by a Chinese company and the JavaScript library (“polyfill.js”) was modified to redirect users to malicious and scam sites.
Sansec said in a Tuesday report, “More than 110,000 sites that embed the library are impacted by the supply chain attack.”
Polyfill is a famous library that incorporates support for modern functions in internet browsers. Prior this February, concerns were raised following its buy by China-based content delivery network ( (CDN) company Funnull.
The first creator of the project, Andrew Betts, encouraged site proprietors to promptly remove it, adding “no website today requires any of the polyfills in the polyfill[.]io library” and that “most highlights added to the web platform are immediately adopted by all major browsers, for certain exemptions that generally can’t be polyfilled at any rate, similar to Web Serial and Web Bluetooth.”
The advancement likewise prompted web infrastructure providers Cloudflare and Fastly to offer elective endpoints to assist clients with creating some distance from polyfill[.]io.
Cloudflare researchers Sven Sauleau and Michael Tremante noted at that point, “The worries are that any site inserting a link to the original polyfill[.]io domain, will presently be depending on Funnull to keep up with and secure the basic project to keep away from the risk of a supply chain attack.”
“Such an attack would happen if the underlying third party is compromised or modifies the code being finished clients in nefarious ways, causing, by result, all websites using the tool to be compromised.”
The Dutch e-commerce security firm said the domain “cdn.polyfill[.]io” has since been found injecting malware that redirects clients to sports betting and pornographic sites.
“The code has explicit protection against reverse engineering, and just enacts on specific cell phones at specific hours,” it said. “It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.”
An alert of its own has also been issued by San Francisco-based c/side, noting that a Cloudflare Security Protection header was added to their site by the domain maintainers between March 7 and 8, 2024.
The discoveries follow a warning about a critical security blemish influencing Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues to remain largely unpatched despite of fixes being accessible since June 11, 2024.
“In itself, it permits anybody to peruse private records (like those with passwords),” Sansec said, which codenamed the exploit chain CosmicSting. “Be that as it may, joined with the new iconv bug in Linux, it transforms into the security bad dream of remote code execution.”
It hosts since arose that third-parties can acquire Programming interface administrator access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making it an even more extreme issue.