If you’ve been utilizing Polyfill.io code on your website, you might want to reconsider. Over 100,000 websites are at risk of being infected with malware due to scripts originating from the polyfill.io domain. Recent reports indicate that a Chinese organization acquired the domain earlier this year, leading to a cascade of security concerns.
Various security firms have issued warnings advising website owners to promptly remove any JavaScript code sourced from the polyfill.io domain. Initially known for providing polyfills – JavaScript code snippets that enhance older browsers with features from newer versions – the domain has now been identified as a source of hidden malicious code within these scripts.
Carlo D’Agnolo from security monitoring firm c/side highlighted the severity of the situation, stating that the cdn.polyfill.io domain is currently involved in a web supply chain attack. What was once a service for adding JavaScript polyfills to websites has now transformed into a vehicle for distributing malware to unsuspecting visitors.
Google has taken action by blocking Google Ads on websites utilizing the compromised code to mitigate potential risks to users. The tech giant has also proactively informed affected site owners about the security issue, emphasizing the importance of swift mitigation measures.
According to Sansec security forensics team, more than 100,000 websites have already been compromised by the malicious scripts. Funnull, a CDN operator suspected to be of Chinese origin, acquired the polyfill.io domain in February and has since been implicated in the supply chain attack.
Despite Funnull claiming to be based in Slovenia, discrepancies in listed addresses and the predominant use of Mandarin language on their website have raised suspicions about the organization’s true nature. The situation has prompted concerns that the company might have affiliations with Chinese entities.
Notable entities such as academic library JSTOR, Intuit, and the World Economic Forum are among the users of Polyfill.io. However, since February, the domain has been observed injecting malware into unsuspecting websites, putting countless users at risk.