Polyfill Supply Chain Attack

A script from the polyfill.io domain and service has been altered to inject malicious code on websites in a supply chain attack.

Background:

Popular JavaScript library and service Polyfill.io allows outdated browsers that do not support browser APIs or newer JavaScript capabilities to support them. Usually, websites employ Polyfill by incorporating an HTML tag with JavaScript code. This gives the Polyfill JavaScript full control over that page, enabling it to do anything it wants, such as discreetly recording user input or replacing any content.

A script from the polyfill.io domain and service, which was acquired earlier this year by a Chinese firm called “Funnull,” has been altered to inject malicious code on websites in a supply chain attack, the Sansec.io research team recently warned. At the moment, more than 100,000 sites could be affected.

Polyfill CDN:

A Content Delivery Network (CDN) is a distributed worldwide server system that serves users with web content according to their location. When it comes to JavaScript polyfill libraries, content delivery networks (CDNs) are essential since they effectively host and serve these libraries worldwide. Developers can reduce latency and improve load times by using content delivery networks (CDNs) to guarantee that their polyfills are delivered to users promptly and consistently. Developers were also able to avoid bundling JavaScript libraries by using a CDN.

A popular content delivery network (CDN) that dynamically provided polyfills depending on the HTTP headers of incoming requests was cdn.polyfill.io in the case of the malicious polyfill takeover. This ensured maximum compatibility by delivering the proper polyfill based on the user’s browser and version.

There are serious security issues associated with using polyfills hosted on a CDN. This is mainly because there is a chance that arbitrary JavaScript code execution could occur within the application context. For a specific web application, this risk is frequently identified as a Cross-site Scripting (XSS) vulnerability.

The integrity and security of the external server are what the application depends on when it fetches a polyfill library from a CDN as in the actual CDN source. As demonstrated by the most recent attack against cdn.polyfill.io, the compromised code can be injected and run in the user’s browser if the hosted library or the CDN is affected. Such malicious code is capable of carrying out a number of malicious activities, including phishing site redirection, data theft, and malware infection. This kind of XSS vulnerability has the worst possible effects on browser security.

Impact:

The original creator of the Fastly-hosted polyfill.io website, Andrew Betts, estimated in 2017 that up to 700 million requests a month were made to update outdated browsers with modern web standards and that a staggering 91 million browsers were requesting to import the library every day.

Currently, Polyfill is embedded on over 100,000 websites using the “cdn.polyfill.io” name. The potential daily traffic of thousands of visitors to each of these sites underscores the significant risks involved and the wide-ranging consequences of this supply chain attack.

In a report by Germán Fernández, the Atlassian community website has also been identified as importing the JavaScript polyfill library from the malicious polyfill.io domain.

Silent Push Labs also discovered that the malicious polyfill.io source was present on government websites, and they reported this information to CISA.

Code from the ‘cdn.polyfill[.]io’ service is still embedded in a number of npm packages intended to provide the polyfill functionality.

How the Exploit Works:

By gaining control over the polyfill.io domain, attackers can insert any JavaScript code into websites that depend on this service. Preliminary reports indicate that the attackers have been using this capability to redirect users to malicious websites. The injected code is designed to activate only at specific times of the day and under certain device conditions.

WordPress Plugins With Malware Increase the Risk of Supply Chain Attacks:

Malicious PHP code has been inserted into a number of WordPress plugins, allowing the creation of new, unauthorised administrator accounts and the exfiltration of database credentials. These plugins, which include the ones below, reportedly had their source code hacked by a malevolent threat actor:

Indicators of Compromise (IoCs) Associated with WordPress Plugin Compromise:

IP address of the attacker-controlled server: 94.156.79[.]8

Known usernames for administrative user accounts created by attackers:

• Choices
• PluginAuth

Detection:

The below rule can detect if any website is currently impacted by the Polyfill attack:

rules:

  – id: polyfill-compromise

    patterns:

      – focus-metavariable: $…URL

      – pattern-either:

          – pattern: |

              ‘$…URL’

          – pattern: |

              “$…URL”

      – metavariable-regex:

          regex: https?://(cdn\.polyfill\.io)

          metavariable: $…URL

    message: Found compromised polyfill.io load which is currently serving malware

      to some targets. Replace with Fastly or Cloudflare-hosted version.

    languages:

      – generic

    severity: ERROR

    fix: |

      https://polyfill-fastly.io/v3/polyfill.min.js

    metadata:

      category: security

      cwe:

        – “CWE 506: Embedded Malicious Code”

      confidence: HIGH

      likelihood: HIGH

      impact: HIGH

      owasp:

        – A8:2021 Software and Data Integrity Failures

      references:

        – https://sansec.io/research/polyfill-supply-chain-attack

        – https://cdnjs.cloudflare.com/polyfill

        – https://community.fastly.com/t/new-options-for-polyfill-io-users/2540

      subcategory:

        – vuln

Recommendations:

Following are some best practices you should consider to help protect from the polyfill supply chain attack:

• Use only CDNs from reliable suppliers. For instance, Cloudflare is renowned for its dependability and strong security protocols. 
• As a drop-in substitute, Cloudflare suggests using the polyfill clone they introduced at https://cdnjs.cloudflare.com/polyfill. 
• Audit and keep an eye on any third-party dependencies and scripts on a regular basis. 
• Subresource Integrity (SRI) tools can be used to guarantee that content provided by content delivery networks (CDNs) has not been altered. They can also be used to pin content to an intended version or hash that has been audited and found to be free of malicious or other undesirable behavior. 
• To limit the sources from which scripts can be loaded, implement a robust CSP. By doing this, harmful scripts may not run. Because polyfills are frequently part of the application loading critical route, they execute with the same permissions as other JavaScript on the page, which makes them a target for attackers looking to take advantage of this trust. Because of this risk, it’s crucial to use reliable and secure CDNs, put strong security measures in place like Content Security Policy (CSP), and routinely audit third-party dependencies to protect against vulnerabilities of this kind. 
• Determine if polyfills are still required for the project. Many of the functionality that polyfills offer are now natively supported in current browsers. It is strongly advised that you vendor your dependencies using your own project assets rather than depending on CDNs or other third-party sources.

IOCs:

hxxps://kuurza[.]com/redirect?from=bitget

hxxps://www.googie-anaiytics[.]com/html/checkcachehw.js

hxxps://www.googie-anaiytics[.]com/ga.js