Many website administrators have not yet been informed to remove links to Polyfill[.]io, which has caused a significant supply-chain threat. The JavaScript code originally hosted on polyfill[.]com was a legitimate open source project that allowed older browsers to handle advanced functions that they did not natively support. By linking to cdn.polyfill[.]io, websites could ensure that devices with legacy browsers could render content in newer formats. This free service was widely used because all website owners had to do was embed the link in their sites, and the code hosted on the polyfill site took care of the rest.
In February, a China-based company called Funnull acquired the domain and the GitHub account that hosted the JavaScript code. However, on June 25, researchers from security firm Sansec discovered that the code hosted on the polyfill domain had been altered to redirect users to adult- and gambling-themed websites. This malicious code was designed to redirect visitors at specific times of the day and only against those who met certain criteria.
After the Sansec report was published, industry-wide actions were taken. Domain registrar Namecheap suspended the domain, preventing the malicious code from running on visitor devices. Content delivery networks like Cloudflare began replacing polyfill links with domains leading to safe mirror sites automatically. Google blocked ads for sites embedding the Polyfill[.]io domain, and the website blocker uBlock Origin added the domain to its filter list. The original creator of Polyfill.io, Andrew Betts, urged website owners to remove links to the library immediately.
Despite these efforts, as of now, 384,773 sites still link to the malicious domain, including mainstream companies like Hulu, Mercedes-Benz, and Warner Bros., as well as government websites. This underscores the danger of supply-chain attacks, which can infect thousands or millions of people by compromising a common source they all rely on.
Censys researchers also discovered over 1.6 million sites linking to domains registered by the entity that owns polyfill[.]io. One of these sites, bootcss[.]com, was observed to be engaging in similar malicious activities as polyfill. This raises concerns about the potential for continued exploitation by the same malicious actor in the future.
Of the sites still linking to polyfill[.]com, over 62 percent were hosted by Germany-based web host Hetzner. Additionally, various mainstream sites in the public and private sectors, including Warner Bros., Hulu, Mercedes-Benz, and government-affiliated domains, were found to be linking to the malicious domain.
Efforts to reach representatives from Funnull for comment have been unsuccessful. The situation highlights the importance of vigilance and prompt action in addressing supply-chain threats to safeguard users and businesses online.
