Over 100K+ Sites Hit by Polyfill.io Supply Chain Attack
A supply chain attack on Polyfill.io affected 100,000+ websites, redirecting mobile users to a betting site. Security measures like link rewriting and integrity checks are advised to mitigate risks in web development.
Read original article
A supply chain attack affecting the Polyfill.io service has impacted over 100,000 websites, as reported by E-commerce security firm Sansec. The attack involved a malicious actor taking control of multiple domains to spread malware since June 2023. The malware injected into websites via cdn.polyfill.io redirected mobile users to a sports betting site. The original creator of Polyfill.io, Andrew Betts, disassociated himself from the domain and advised removing Polyfill from websites. CloudFlare introduced a service to rewrite links to Polyfill.io to a secure version. Concerns were raised about the security of popular JavaScript libraries hosted on third-party domains, emphasizing the need for trust and caution. Suggestions included implementing subresource integrity checks and reconsidering the use of CDNs due to changes in HTTP/2. The incident highlights ongoing security risks in the web development industry and the importance of vigilance in managing third-party dependencies.
Related
Malicious Code Injection Found in CDN Polyfill Link Targeting Mobile Users
Polyfill.io selectively polyfills browser features based on User-Agent headers. Tailored polyfills are provided, with official documentation on their website. Contribution guide on GitHub, self-hosting info, and MIT license available.
Polyfill supply chain attack hits 100K+ sites
A supply chain attack on Polyfill JS affects 100,000+ websites, including JSTOR and Intuit. Malware redirects mobile users to a betting site. Users advised to switch to trusted alternatives like Fastly and Cloudflare.
If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.
Cloudflare automatically fixes Polyfill.io for free sites
Cloudflare replaces polyfill.io links with their mirror under cdnjs to enhance Internet safety, addressing concerns of malicious code injection. Users urged to switch to Cloudflare's mirror for improved security.
Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack
Namecheap took down Polyfill.io due to a supply chain attack. Malware was distributed to 110,000 websites, redirecting mobile users to a betting site. Google warned affected pages. Users should remove Polyfill.io and consider alternatives like Cloudflare or Fastly.
2 commentsRelated
Malicious Code Injection Found in CDN Polyfill Link Targeting Mobile Users
Polyfill.io selectively polyfills browser features based on User-Agent headers. Tailored polyfills are provided, with official documentation on their website. Contribution guide on GitHub, self-hosting info, and MIT license available.
Polyfill supply chain attack hits 100K+ sites
A supply chain attack on Polyfill JS affects 100,000+ websites, including JSTOR and Intuit. Malware redirects mobile users to a betting site. Users advised to switch to trusted alternatives like Fastly and Cloudflare.
If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.
Cloudflare automatically fixes Polyfill.io for free sites
Cloudflare replaces polyfill.io links with their mirror under cdnjs to enhance Internet safety, addressing concerns of malicious code injection. Users urged to switch to Cloudflare's mirror for improved security.
Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack
Namecheap took down Polyfill.io due to a supply chain attack. Malware was distributed to 110,000 websites, redirecting mobile users to a betting site. Google warned affected pages. Users should remove Polyfill.io and consider alternatives like Cloudflare or Fastly.