Overview
Polyfill is a popular JavaScript library tool for enhancing browser capabilities. Many users access it by linking to the polyfill[.io] service, which has recently changed ownership to a new party.
Sites using Polyfill[.io] are potentially impacted by a recent security issue related to malware hosted within some CDNs. Sansec, a cybersecurity firm, has issued a warning that the polyfill[.io] service and domain have been compromised to inject harmful code into websites, indicating a supply chain attack which impacts over 100K sites.
Summary
The polyfill code is dynamically generated based on HTTP headers, so multiple attack vectors are likely.
The decrypted malware code redirects users to a sports betting website using a dummy Google analytics domain. The code is designed to prevent reverse engineering and only activates on specific mobile devices at specific hours. It also does not turn on when it detects an admin user, and delays execution when a web analytics service is found.
Recommended Mitigations
RedShield strongly recommends that websites currently using Polyfill[.io] should immediately remove the code to avoid potential security breaches. Administrators are encouraged to secure alternative software to ensure the integrity of their assets.
Should immediate removal of this software from your assets not be feasible please contact support@redshield.co.
Comments