Original Post: Polyfill supply chain attack embeds malware in JavaScript CDN assets
On June 25, 2024, the Sansec team announced that a well-known JavaScript polyfill project had been compromised by a Chinese company, leading to the insertion of malicious code in assets fetched from the CDN source cdn.polyfill.io. This breach affected over 100,000 websites, including large corporations like Intuit. The polyfill project, originally developed by Andrew Betts, dynamically injected JavaScript based on user agents to ensure compatibility across browsers. Betts had previously disassociated himself from the cdn.polyfill.io site.
There’s no specific npm polyfill library implicated, but other software ecosystems, such as the pdoc library on PyPI, have been affected. The issue in pdoc has been fixed in version 14.5.1.
A JavaScript polyfill is a piece of code enabling new functionalities on older browsers. Historically, polyfills bridged the gap between different browser versions.
CDNs, crucial for delivering JavaScript polyfills, can introduce security risks like Cross-site Scripting (XSS) when compromised. Malicious code can be executed within users’ browsers, causing significant harm.
Snyk’s VS Code extension can detect vulnerable libraries imported via static script imports, enhancing security by flagging such risks.
To protect against CDN supply chain attacks, it’s recommended to use trusted CDNs, regularly audit dependencies, use Subresource Integrity (SRI), implement strong Content Security Policies (CSP), keep libraries updated, and evaluate the necessity of polyfills.
Go here to read the Original Post