Polyfill.io is a widely used service that provides polyfills—pieces of JavaScript code designed to bring modern web functionalities to older browsers that don’t support them natively. By delivering only the necessary polyfills to the requesting browser, Polyfill.io helps web developers ensure cross-browser compatibility seamlessly.
The Buzz Around the Polyfill.io Supply Chain Attack
Recently, Polyfill.io became the focal point of a significant supply chain attack. This type of attack involves compromising a trusted third-party service to inject malicious code into web applications that rely on it. Given the widespread use of Polyfill.io, this attack has raised serious concerns within the web development community.
Can Polyfill Read Local Storage of Your Domain?
Yes, it can. A polyfill runs JavaScript within the context of your web page, granting it the same permissions as any other script on your site. This means it can:
- Read Local Storage: Access any data stored in local storage by your domain.
- Write to Local Storage: Add or modify data within local storage.
- Remove Local Storage Data: Delete data stored in local storage.
Security Implications
The recent supply chain attack on Polyfill.io highlights several critical security concerns:
- Data Breaches: Malicious polyfills could access sensitive information stored in local storage, such as user preferences, tokens, or other data.
- Service Disruption: By injecting harmful scripts, attackers can disrupt the normal functioning of your web applications.
- Trust Exploitation: The attack exploits the trust developers place in third-party services, emphasizing the need for rigorous security measures.
How to fix the Vulnerability
The following should be done immediately to control the damage –
- Replacing Polyfill.io: Most of the modern browsers don’t need polyfill. But if you still need it, you can use the cloudflare polyfill https://cdnjs.cloudflare.com/polyfill/
- Updating Content-Security-Policy (CSP): You must strengthen your CSP headers to prevent connections to the vulnerable domain across all our services. Ideally, this should be allowed from your authorized domains only.
Common Indicators of Compromise
Since the vulnerability existed for a long time and impacted multiple websites and devices, it is important to identify if it has impacted your environment or not. Researchers identified several URLs associated with the Polyfill.io attack, which redirected users to malicious sites:
- kuurza.com/redirect?from=bitget
- googie-anaiytics.com/html/checkcachehw.js
- googie-anaiytics.com/ga.js
- union.macoms.la/jquery.min-4.0.2.js
- newcrbpc.com/redirect?from=bscbc
For more detailed information, refer to these advisories:
- Polyfill.io Supply Chain Attack Threat Advisory
- Hijacked Polyfill Supply Chain Attack Affects More Than 110,000 Websites
- The Polyfill.io Supply Chain Attack: Lessons Learned
Conclusion
The Polyfill.io supply chain attack serves as a stark reminder of the importance of securing third-party dependencies. At Leena AI, we are committed to maintaining a secure environment and have taken all necessary steps to protect our applications and users. Always stay vigilant and ensure that your security measures are up to date to defend against such threats.