Understanding the Polyfill.io Attack: What You Need to Know

In late June 2024, details of a significant cyber attack came to light when Sansec reported that code hosted on the Polyfill.io domain had been altered. This modified code redirected users to adult and gambling websites. The attack was sophisticated, with the redirections occurring only at specific times of the day and targeting visitors who met certain criteria.

In February 2024, the Polyfill.io domain and GitHub account were acquired by Funnull, a Chinese CDN company, raising immediate concerns about the service’s legitimacy. Subsequently, malware injected through cdn.polyfill.io began redirecting users to malicious sites, affecting reports of over 300,000 websites, including high-profile sites such as WarnerBros, Hulu, Mercedes-Benz, Intuit, and the World Economic Forum. This sophisticated malware employs various evasion techniques, making it particularly challenging to detect and combat.

What is Polyfill.io?

Polyfill.io is a service designed to improve the functionality of older web browsers by providing scripts, known as polyfills, that enable modern web features. These polyfills bridge the gap between new web standards and older browsers that do not natively support them, ensuring that websites function smoothly across different platforms and devices. By dynamically delivering only the necessary polyfills based on the user’s browser, Polyfill.io helps developers maintain compatibility without the need to manually include and manage multiple scripts. This service has been widely used by web developers to ensure a seamless user experience, regardless of the browser version.

How Does the Attack Work?

1. Injection of Malicious Code: Attackers compromise the Polyfill.io service or intercept its requests, injecting malicious code into the scripts.
2. Delivery to Websites: When a website requests a script from Polyfill.io, the malicious code is delivered instead of or along with the legitimate script.
3. Execution on User Devices: The malicious code executes on the devices of website visitors, potentially leading to data theft, malware installation, or other harmful activities.

Impact on Businesses

• Data Breach: Sensitive information from your website and its users can be stolen.
• Reputation Damage: Visitors who are affected may lose trust in your website.
• Financial Loss: Recovering from an attack can be costly due to potential fines, loss of business, and the expense of securing your systems.

How to Protect Your Business

If you suspect your website has been affected by the Polyfill.io attack:

• Stop Using Polyfill.io: Temporarily disable the service and switch to local copies of necessary scripts.
• Scan for Malicious Code: Use security tools to scan your website for any injected malicious code.
• Notify Users: Inform your users about the potential risk and advise them on how to protect themselves.
• Consult Security Experts: Engage with cyber security experts to assess the damage and implement stronger security measures.
• Implement a DNS Security Product: It is crucial for both your office network and remote workers to have DNS filtering in place. This helps prevent employees from accessing malicious websites. We use WatchGuard DNSWatchGo, which has effectively blocked access to numerous sites compromised by the Polyfill.io component.

The Polyfill.io attack highlights the importance of robust web security practices. By understanding how this attack works and taking proactive steps to secure your website, you can protect your business and maintain the trust of your customers. Stay vigilant, stay informed, and prioritise security to safeguard your business.