Original Post: Protect your code from the Polyfill supply chain attack
Summary
Over 100,000 websites use a CDN service with the domain polyfill.io, which has recently been compromised by a malicious actor to deliver malware. Users are advised to check their source code with Semgrep to detect this issue.
What is Polyfill?
Polyfill adds modern features to older browsers that don’t support them natively. As of February 2024, the creator of the original polyfill service has indicated that most modern websites no longer need these polyfills and advised removing any use of the polyfill.io domain immediately.
Attack Details
A Chinese company acquired the domain and associated GitHub account in February. The domain has since been used to inject malware into websites relying on the service. Google is alerting advertisers affected by this malicious code, and similar risks are identified with other CDNs.
How the Exploit Works
Attackers use the compromised domain to inject JavaScript code into websites, redirecting users to unintended sites under certain conditions. More details can be found in Sansec’s research.
Remediation
A Semgrep rule can help detect the use of polyfill.io in repositories. Websites still requiring polyfill should switch to Cloudflare’s alternative endpoint, ensuring no disruption in service.
Conclusion
Relying on legacy software dependencies like polyfill.io poses security risks. Developers should stay informed and protect their projects from similar vulnerabilities.
Go here to read the Original Post