June 26, 2024 at 03:11PM
The domain polyfill[.]io, used by over 100,000 websites for JavaScript code, has been compromised, serving malicious code like dynamic payloads and leading users to porn and betting sites. The sale of the domain to a Chinese organization has raised security concerns. Website owners are urged to remove references to the domain and take immediate action.
The meeting notes inform about a security threat involving the domain polyfill[.]io being used in a Web supply chain attack. Security researchers have discovered that the cdn[.]polyfill[.]io domain has been compromised to serve malicious code in scripts to end users in a widespread attack, potentially leading to various forms of attack such as data theft, clickjacking, and more. The attack has placed an estimated 100,000 websites at immediate risk.
The malicious code is dynamically generating payloads, redirecting users to inappropriate sites, and can potentially lead to data theft. The researchers have advised website owners to check their code for any use of the polyfill[.]io domain and remove it from their applications. The developer of the open source Polyfill project, Andrew Betts, had already urged users to stop using the polyfill[.]io domain after it was purchased by Funnull, a Chinese company, back in February.
It is crucial for users of Polyfill to take immediate action and remove the cdn[.]polyfill[.]io domain from their websites. The Polykill website provides alternatives and resources for developers to secure websites that use Polyfill, suggesting the use of polyfill-fastly[.]net and polyfill-fastly[.]io as replacements for polyfill[.]io in a website’s code.
Lastly, it’s important to note that the Polyfill service itself is still considered solid, and it’s recommended to host your own version in a safe and controlled environment without using the compromised domain.