Security News > 2024 > June > Polyfill.io JavaScript supply chain attack impacts over 100K sites

Over 100,000 sites have been impacted in a supply chain attack by the Polyfill.io service after a Chinese company acquired the domain and the script was modified to redirect users to malicious and scam sites.

The polyfill.io service is used by hundreds of thousands of sites to allow all visitors to use the same codebase, even if their browsers do not support the same modern features as newer ones.

Today, cybersecurity company Sansec warned that the polyfill.io domain and service was purchased earlier this year by a Chinese company named 'Funnull' and the script has been modified to introduce malicious code on websites in a supply chain attack.

To reduce the risk of a potential supply chain attack, Cloudflare and Fastly set up their own mirrors of the Polyfill.io service so that websites could use a trusted service.

Google has begun notifying advertisers about this supply chain attack, warning them that their landing pages include the malicious code and could redirect visitors away from the intended site without the website owner's knowledge or permission.

Google also warns that Bootcss, Bootcdn, and Staticfile have also been found to cause unwanted redirects, potentially adding thousands, if not hundreds of thousands, of sites impacted by the supply chain attacks.

News URL

https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/