Enterprises relying on its JavaScript fragments to ensure their web apps’ browser compatibility could be spreading trouble for users. Credit: Dmitry Baranovskiy A site formerly used to host a service geared towards adding JavaScript polyfills to web pages to ensure compatibility with older browsers is being abused to serve malicious scripts as part of a web-based supply chain attack. Developers are urged to check their code and remove any references or calls to the dangerous polyfill.io domain. The domain previously supported the open source Polyfill project but turned rogue following its sale in February 2024 and purchase by Funnull, a Chinese company. Polyfill is and remains a legitimate service that makes modern JavaScript features compatible with older browsers. Polyfill’s developer Andrew Betts said he had never owned the domain and had no influence on its sale four months ago. “If your website uses polyfill.io, remove it immediately,” Betts said in a Twitter update. Powering redirection scams Web security firm c/side reports that the polyfill.io domain is injecting malicious code into devices. “The malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users and delaying execution,” according to c/side. Some of the doctored JavaScript files include a fake Google analytics link that redirects users to sports or pornography websites. As c/side warns, the content being served up could easily be changed to something more malign, perhaps something that subverted users’ browsing experience or stole their data. Visitors to as many as 100,000 websites might be at risk of attack, according to c/side. There was no response from c/side to CSOonline’s requests for further information, but others in the industry, including Cloudflare, are taking action to deal with the threat. “Given supply chain risk, Cloudflare launched an alternative endpoint to polyfill under cdnjs in February 2024,” the content delivery network said in an update on X/Twitter. “We would strongly encourage immediate replacement of any remaining links to polyfill with the cdnjs alternative endpoint.” Fastly has also set up a mirror. Security vendors including Aikido detect usage of the hostile domain. Elsewhere, Google Ads is putting out warnings about loading third party JavaScript from the domain. More on supply chain attacks: 6 most common types of software supply chain attacks explained Supply chain attacks show why you should be wary of third-party providers Dangerous XZ Utils backdoor was the result of years-long supply chain compromise effort Related content feature 11 top bug bounty programs launched in 2024 Software providers continue to rely on community support to help them identify code mistakes that can lead to malicious attacks. By John Leyden 16 Aug 2024 9 mins Hacking Security Practices Vulnerabilities news Major GitHub repos leak access tokens putting code and clouds at risk Build artifacts generated by GitHub Actions often contain access tokens that can be abused by attackers to push malicious code into projects or compromise cloud infrastructure. By Lucian Constantin 15 Aug 2024 6 mins GitHub Vulnerabilities news analysis Thousands of NetSuite stores leak sensitive data due to access control misconfiguration Customers of Oracle subsidiary NetSuite’s ERP offering may be unaware that their custom record types grant unauthenticated access to sensitive data readily consumable via NetSuite’s APIs. By Lucian Constantin 15 Aug 2024 7 mins Access Control Vulnerabilities news analysis Microsoft Outlook security hole lets attackers in without opening a tainted message The zero-click hole, which was patched by Microsoft Tuesday, could point to far more vulnerabilities in the form-based architecture of Outlook. By Evan Schuman 14 Aug 2024 4 mins Email Security Cyberattacks Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe