Polyfill.io infects 100k websites with malware

If you’ve been following the latest cybersecurity news, you might have heard about the recent supply chain attack involving Polyfill.io. I somehow missed this until today, due to, well, researching other malware. But the attack proved something we’ve been saying for years at Howtoremove.guide. Older, unpatched websites are susceptible to malware. And normal people are always the ones to pay the bill, in the end.

Polyfill.io is currently blocked by all security sources.

The Polyfill.io Supply Chain Attack

Over 100,000 websites were impacted after a Chinese company called Funnull bought the Polyfill.io domain and modified the service’s script to redirect users to scam websites instead of doing what they were supposed to do. It’s anyone’s guess how a company can do this, even in China, but this is 2024. But the sheer damage that spread like wildfire made me dive into the incident to understand the mechanics and implications of the attack. Here’s what I found.

What is a Polyfill?

Let’s clarify what a polyfill is, because I wasn’t really in the loop what it is either, to be honest. In web development, a polyfill is a type of code that adds modern functionality to older browsers that don’t support it. JavaScript is the best example that does this. This way a user with an outdated browser can still see everything as opposed to broken parts interspersed with the rest.

Polyfill.io was a popular service that provided these scripts to hundreds of thousands of websites, allowing developers to maintain a consistent codebase across all browsers. But see the past tense – it was a popular service.

The Polyfill.io Attack Unfolds

Earlier this year, Polyfill.io was purchased by Funnull, a company supposedly officially based in Slovenia but many attributes suggest a Chinese origin instead. Unfortunately all of this came under scrutiny after the attack took place.

After Polyfill.io the cybersecurity firms like Sansec and c/side raised alarms immediately. Scripts served by Polyfill.io began injecting malicious code into websites, redirecting users to unwanted and often dangerous sites, e.g. a fake Sportsbook site or “www.googie-anaiytics.com” – a clever misspelling of Google Analytics. Scams often employ these tactics to confuse users.

The Scale of Impact

The scale of this attack is staggering because it was lightning quick and came without notice. Over 100,000 websites are affected, including the likes of JSTOR, Intuit, and the World Economic Forum. The malicious code targets mobile devices the most and activates only under specific conditions.. The modified scripts are designed to evade reverse engineering and avoid triggering when they detect admin accounts or web analytics services. My presumption with 10 years in the field is that this is because the actors behind the attack wanted to remain unnoticed for longer.

Google’s Response

Google quickly began notifying advertisers about the potential risks of landing pages that use Polyfill.io’s services. Soon after, they went further and started blocking Google Ads for websites using the compromised scripts, noticeably reducing traffic to these sites. At that point everyone woke up, it seems, and started taking steps to mitigate the issue.

To be clear – modern browsers don’t need this service. It is mostly there for legacy purposes. The original developer of Polyfill.io who sold the service advised immediate removal. Cloudflare and Fastly quickly set up mirrors that cut away the infected code.

So what now?

For now, the Polyfill.io domain has been redirected to Cloudflare, but the DNS servers haven’t changed. This means the malicious actors could regain control at any time. My 2 cents is this is a stark reminder to stay away from old services like this. In 2024 most users are forced to upgrade and most devices are newer than needed anyway.

About the author

Nathan Bookshire

Leave a Comment