More than 384,000 websites link to a site that was caught in a supply chain attack last week that redirected visitors to malicious sites, researchers said.
For years, the JavaScript code hosted on polyfill[.]com, was a legitimate open source project that allowed older browsers to handle advanced features that were not supported by default. By linking to cdn.polyfill[.]io, websites could enable devices with older browsers to display content in newer formats. The free service was popular among websites because they only had to embed the link into their sites. The code hosted on the polyfill site did the rest.
The Power of Supply Chain Attacks
In February, China-based Funnull acquired the domain and GitHub account hosting the JavaScript code. On June 25, researchers from security firm Sansec reported that code hosted on the polyfill domain had been modified to redirect users to adult and gambling-themed websites. The code was intentionally designed to mask the redirects by only running at certain times of the day and only against visitors who met specific criteria.
The revelation prompted calls across the industry for action. Two days after the Sansec report was published, domain registrar Namecheap suspended the domain, a move that effectively prevented the malicious code from running on visitors’ devices. Even then, content delivery networks like Cloudflare began automatically replacing pollyfill links with domains that led to safe mirror sites. Google blocked ads for sites that embedded the Polyfill[.]io domain. Website blocker uBlock Origin has added the domain to its filter list. And Andrew Betts, the original creator of Polyfill.io, urged website owners to immediately remove links to the library.
As of Tuesday, exactly a week after the malicious behavior came to light, 384,773 sites continued to link to the site, according to researchers at security firm Censys. Some of the sites were associated with mainstream companies, including Hulu, Mercedes-Benz and Warner Bros., as well as the federal government. The findings underscore the power of supply-chain attacks, which can spread malware to thousands or millions of people simply by infecting a common resource they all rely on.
“Since the domain was suspended, the supply chain attack has stopped,” Aidan Holland, a member of the Censys Research Team, wrote in an email. “However, if the domain were to be suspended or transferred again, it could resume its malicious behavior. I hope NameCheap has properly locked down the domain and prevented this from happening.”
In addition, the Internet scan performed by Censys found that there were over 1.6 million sites linking to one or more domains registered by the same entity that owns polyfill[.]io. At least one of the sites, bootcss[.]com, was observed in June 2023 performing malicious actions similar to polyfill. That domain, and three others—bootcdn[.]net, static file[.]net and staticfile[.]org — were also found to have leaked a user's authentication key for accessing a Cloudflare programming interface.
Censys researchers wrote:
So far, this domain (bootcss.com) is the only one showing signs of potential maliciousness. The nature of the other associated endpoints remains unknown, and we avoid speculation. However, it would not be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack could abuse these other domains for similar activities in the future.
Of the 384,773 sites that still link to polyfill[.]com, 237,700, or nearly 62 percent, were located with Germany-based web host Hetzner.
Censys found that several mainstream sites, both in the public and private sectors, were among the sites linking to polyfill. These included:
- Warner Bros. (www.warnerbros.com)
- Hulu (www.hulu.com)
- Mercedes-Benz (shop.mercedes-benz.com)
- Pearson (digital-library-qa.pearson.com, digital-library-stg.pearson.com)
- ns-static-assets.s3.amazonaws.com
The amazonaws.com address was the most common domain associated with sites that still linked to the polyfill site. This is an indication of the widespread use of Amazon's S3 static website hosting among users.
Censys also found 182 domains ending in .gov, which means they are affiliated with a government entity. One such domain—feedthefuture[.]gov—is affiliated with the U.S. federal government. A list of the top 50 affected sites is here.
Attempts to reach Funnull representatives for comment were unsuccessful.