Over 380,000 web hosts affected by Polyfill attack
Follows Polyfill's acquisition by Chinese firm in February
The recent supply chain attack targeting the popular Polyfill.io JavaScript library is significantly larger than first thought.
New research from Censys reveals that over 380,000 web servers worldwide are currently embedding a script linked to the malicious domain. These hosts include websites associated with major platforms like Hulu, Mercedes-Benz and WarnerBros.
"A notable concentration of these hosts, approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," the researchers said in a blog post.
Polyfill.io provides code snippets that ensure websites function correctly in older browsers.
Last month, Dutch e-commerce security firm Sansec discovered that the "cdn.polyfill.io" domain was injecting malicious code, redirecting users to gambling and adult websites.
The code was designed to evade detection by security tools and only activated at specific times and for certain visitors.
This suspicious activity followed the February 2024 acquisition of Polyfill and its associated GitHub account by a Chinese CDN firm named Funnull.
On a post discussing the sale on GitHub, a software engineer known as SukkaW said, "'Funnull' is notorious for providing service for the betting and pornography industries."
After Sansec reported malicious redirects, domain registrar Namecheap suspended Polyfill.io.
Cloudflare issued a stern warning about Polyfill.io's deceptive practices. The company claims Polyfill misused their name and logo on their website, potentially misleading users into believing Cloudflare endorsed the compromised service.
"Cloudflare has never recommended the polyfill.io service or authorised their use of Cloudflare's name on their website," the team wrote in a blog post.
"We have asked them to remove the false statement and they have, so far, ignored our requests. This is yet another warning sign that they cannot be trusted."
To safeguard customers, Cloudflare has implemented an automatic URL rewriting feature.
This feature automatically replaces any instances of "polyfill.io" with a safe mirror hosted on Cloudflare's servers. This ensures website functionality remains intact while mitigating the attack's impact.
Google, prioritising user safety, blocked advertisements displayed on e-commerce sites using Polyfill.io. The company is actively informing potentially impacted advertisers on how to address the problem.
After Namecheap suspended Polyfill.io, the operators attempted to revive the service under a new domain, polyfill.com, but Namecheap shut that down as well. They have since registered two more domains, polyfill.site and polyfillcache.com. The latter is still operational.
The investigation into the attack has uncovered a potentially far more extensive campaign.
Censys identified a network of additional domains, including bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la and newcrbpc.com, with ties to the maintainers of Polyfill.io.
Notably, bootcss.com has displayed similar malicious behaviour since June 2023, according to Censys, raising concerns that these domains could be used for future attacks.
About 1.6 million public-facing servers currently link to these suspicious domains, the researchers said.
The incident highlights the dangers of supply chain attacks, where vulnerabilities in widely used tools or services can be exploited to compromise numerous websites and their users.
Website owners and developers are urged to audit their code for references to Polyfill.io or any of the related domains mentioned above.
Andrew Betts, the original creator of the library, has also urged website owners to remove it entirely, stating that modern browsers already include most features Polyfill.io aimed to support.