New Signatures Released to Counter Polyfill[.]io Supply Chain Attack
Dear Valued Customers,
We want to inform you about a critical security issue affecting the widely-used Polyfill JavaScript library and to update you on the measures Imunify360 has taken to protect you.
The Issue: Polyfill[.]io Supply Chain Attack
A recently discovered supply chain attack targeting the Polyfill[.]io domain has potentially impacted over 380,000 websites worldwide. This attack began after the domain and its associated GitHub repository were sold to a new owner.
Here are the key details:
- The attack started after the Polyfill[.]io domain was sold to a new owner.
- Malicious actors modified the code hosted on the Polyfill domain to redirect users to adult- and gambling-themed websites.
- The malicious redirections were designed to occur only at certain times of the day and only for visitors meeting specific criteria, making the attack harder to detect.
- The attack extends beyond the original polyfill[.]io domain. New domains like polyfill[.]com were set up to continue the attack after the original domain was suspended.
- This incident appears to be part of a broader malicious campaign involving multiple related domains, some of which have been engaged in similar activities for an extended period.
Impact
The attack specifically affects sites using the following URLs:
- https://cdn.polyfill[.]io
- https://cdn.polyfill[.]com
Major companies and web applications using these services are potentially at risk. Due to Polyfill's widespread use, the effects of this attack could be significant.
Our Response
At Imunify360, we’ve taken swift action to mitigate this threat. We have released the following signature to defend against the attack:
SMW-INJ-27376-js.spam.polyfill
SMW-INJ-27348-js.spam.polyfill
SMW-INJ-27295-js.spam.polyfill
This signature performs the following actions:
- Detection: Identifies instances of Polyfill URLs in your files.
- Removal: Removes these potentially harmful URLs to prevent malicious code injection and redirection.
What You Need to Know
As part of this mitigation, you may see detections for files such as:
- ./polyfill.event-uncompressed.js
- ./polyfill.classlist-uncompressed.js
- Various cache files
These detections do not necessarily indicate that your site has been compromised. Due to Polyfill's extensive use, many web applications may show signs of this issue, but it doesn't always mean a hack has occurred.
Continuous Monitoring
We are closely monitoring the situation and will provide further updates as necessary. As always, your security remains our top priority.
If you have any questions or concerns, please do not hesitate to contact our support team.