Malware infects JavaScript library 'Polyfill.io' affecting over 100,000 websites

Polyfill.io , a JavaScript library that nullifies differences between web browser versions, was infected with malware and used in supply chain attacks after the project owner changed in February 2024, affecting more than 100,000 sites.

Polyfill supply chain attack hits 100K+ sites
https://sansec.io/research/polyfill-supply-chain-attack

'Polyfill.io (polyfill.js)' is a JavaScript library developed by Andrew Betts. Development can be difficult when there are differences in functionality between versions of web browsers, but by using Polyfill.io, you can use features that are only available in newer versions in older versions, so you can develop without worrying about version differences.

Known users include the World Economic Forum , JSTOR , a digital library that stores academic journals, and Intuit , known for business software development. It was ranked 97th with 776 detections in DataSign's ' Top 100 Discovered Services ' conducted in December 2023, which covered 157,810 web services.

However, developer Betts has already left the project. Jake Champion, who was the maintainer, took over the project, but he did not expect it to grow into a service that could handle more than 10,000 requests per second, so in February 2024, it was sold to a Chinese company called Funnull.

At this point, Betts is calling for people to stop using Polifill.io.

If your website uses https://t.co/3xHecLPXkB , remove it IMMEDIATELY.

I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI

— Andrew Betts (@triblondon) February 25, 2024

When a user who noticed the change in the situation investigated, Fang Neng stated that 'Polyfill.io does not guarantee that there will be bugs or inconveniences' and 'We will not notify you even if we make changes to the terms of use.' The post on GitHub pointing out this has been deleted.

Is it true that polyfill.io hosting is going to be owned by a Chinese company? Issue #2834 polyfillpolyfill/polyfill-service GitHub
https://web.archive.org/web/20240229113710/https://github.com/polyfillpolyfill/polyfill-service/issues/2834

According to security firm SanSec, since the ownership changed to Fang Neng, attempts have been made to infect mobile devices with malware via sites that embed cdn.polyfill.io, with more than 100,000 sites reportedly using Polyfill.io.

According to former developer Betts, with the exception of features that cannot be supported by Polyfill, such as Web Serial and Web Bluetooth , most features adopted by the Web Platform are immediately adopted by major web browsers, so there are no websites that require the Polyfill.io library.

No website today requires any of the polyfills in the https://t.co/3xHecLPXkB library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.

— Andrew Betts (@triblondon) February 25, 2024

Incidentally, CloudFlare and Fastly offer their own forks of Polyfill.io for those who need it.

polyfill.io now available on cdnjs: reduce your supply chain risk
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk

New options for Polyfill.io users - General - Fastly Community
https://community.fastly.com/t/new-options-for-polyfill-io-users/2540

◆ Forum is currently open
A forum related to this article has been set up on the official GIGAZINE Discord server . Anyone can post freely, so please feel free to comment! If you do not have a Discord account, please refer to the account creation procedure explanation article to create an account!

• Discord | 'Have you ever used the JavaScript library 'Polyfill.io'?' | GIGAZINE
https://discord.com/channels/1037961069903216680/1255451345930948619