A popular JavaScript library used by more than 100,000 websites has been injecting malicious code into pages delivered to mobile users in some circumstances and researchers and CDN providers are warning site owners to remove the library immediately.
The incident began earlier this week when researchers noticed that in some cases, the polyfill.io library was injecting dynamic code that would redirect users to a third-party site. Researchers estimate more than 100,000 sites are affected by this at the moment. Polyfill.io is a library used to dynamically deliver some functionality to older browsers that don’t support specific features. Sites that use the library load it dynamically based on information in the HTTP headers presented by the user’s browser. It has been in use for many years, but the author of the library said in February that he had never owned the polyfill.io domain, which was purchased by a Chinese company in February.
“The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository,” researchers at e-commerce security company Sansec said in an analysis of the incident.
“The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely. Sansec decoded one particular malware (see below) which redirects mobile users to a sports betting site using a fake Google analytics domain (www.googie-anaiytics.com). The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.”
In response to the incident, Cloudflare has created its own safe mirror of polyfill.io and has taken the additional step of replacing any reference in its customers’ sites to the polyfill.io CDN with a redirect to that safe mirror. Fastly developed its own fork of polyfill.io in February and also released drop-in replacements for the original library. Namecheap, the registrar for the polyfill.io domain, has suspended it and GitHub has flagged the polyfill repository, as well.
Researchers recommend any site owners whose sites pull in the polyfill.io library look for it in their code and remove any links to it.
"Given how widespread this is, we don't expect to understand the real impact of this supply chain attack for many weeks. Attacks like these, however, can be quite devastating," Ax Sharma of Sonatype said.