June 26, 2024 at 01:01AM
Google has blocked ads for e-commerce sites using Polyfill.io due to a supply chain attack. The Chinese company Funnull acquired the domain and altered the JavaScript library to redirect users to malicious sites, impacting over 110,000 sites. Concerns have been raised about the security and maintenance of the library, prompting alternative solutions from Cloudflare and Fastly.
Key takeaways from the meeting notes:
– Google has blocked ads for e-commerce sites using the Polyfill.io service due to a supply chain attack initiated by a Chinese company that acquired the domain and modified the JavaScript library to redirect users to malicious sites.
– More than 110,000 sites have been impacted by the supply chain attack, prompting concerns among web infrastructure providers such as Cloudflare and Fastly.
– Sansec reported that the domain “cdn.polyfill.io” has been injecting malware, redirecting users to sports betting and pornographic sites.
– A critical security flaw (CVE-2024-34102) affecting Adobe Commerce and Magento websites has been identified, allowing unauthorized access to private files and remote code execution.
– Third-parties can gain API admin access without a Linux version vulnerable to the iconv issue (CVE-2024-2961), heightening the severity of the security issue.
These takeaways highlight the urgency of addressing the supply chain attack on Polyfill.io and the critical security flaws impacting Adobe Commerce and Magento websites. Additionally, it underscores the need for heightened security measures to mitigate the risks posed by these vulnerabilities.