More than 100,000 websites using the once popular Polyfill JS open-source project code are open to a malicious attack redirecting traffic to sport betting and pornography websites. Polyfill.js is open-source code once used by websites to support outdated browsers.
In a
June 25 blog post, researchers at Sansec warned that websites using the Polyfill code are now dynamically generating several malicious activities that are based on the site’s Hypertext Transfer Protocol (HTTP) headers and allow for multiple types of attacks.
HTTP headers are fields in Hypertext Transfer Protocol (HTTP) requests and responses that contain extra information and metadata. They are usually invisible to the end user and are only processed or logged by the server and client applications, according
to Mozilla glossary term.
Once legit, now rogue, experts warn
Sansec researchers note the popular open-source site cdn.polyfill.io was recently bought by Chinese company Funnull. Not long after the sale, Sansec noted that sites using the polyfill.js open source library “inject[ed] malware on mobile devices via any site that embeds cdn.polyfill.io” as part of the open-source code used with Polyfill JS.
The researchers detected one specific malware that redirects mobile users to a sports betting site using a fake Google analytics domain: googie-anaiytics.com. According the Santec researchers, the code has protection against reverse engineering and only activates on specific mobile devices at specific hours.
100k sites at risk
Polyfill.io's widespread adoption across various industries, including e-commerce, finance, media and entertainment, and healthcare, offers a vast network of websites for malicious actors to exploit, said Sarah Jones, cyber threat intelligence research analyst at Critical Start.
“This incident highlights the inherent vulnerability of relying on the security practices of third-party open-source maintainers, emphasizing the need for robust supply chain security measures within the open-source community,” said Jones. “Organizations must implement stricter vetting procedures for adopted libraries and prioritize regular security audits to mitigate such risks. Additionally, developers need to be more vigilant when integrating third-party code into their projects.”
Open-source projects rely heavily on third-party libraries, like
polyfill.io, which ensured browser compatibility, explained Jason Soroko, senior vice president of product at Sectigo. Soroko pointed out that the takeover by Funnull without proper communication earlier this year shows the risks of transferring control of potentially critical resources.
“It’s crucial to know who maintains dependencies and to have clear maintenance and transfer plans,” said Soroko. “The attack’s sophistication, with dynamic payloads targeting specific devices, shows evolving cyber threats and the need for continuous monitoring.”
Soroko added that Google’s quick action to block ads on infected sites and researcher warnings underscore the importance of a vigilant community. He also said the warning by Andrew Betts -- the creator of the Polyfill service project -- about the reduced need for polyfills in modern browsers suggests fewer attack surfaces in the future.