{"id":22989,"date":"2024-07-05T10:30:29","date_gmt":"2024-07-05T06:30:29","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/polyfill-io-service-supply-chain-attacks\/22989\/"},"modified":"2024-07-05T10:30:34","modified_gmt":"2024-07-05T06:30:34","slug":"polyfill-io-service-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/polyfill-io-service-supply-chain-attacks\/22989\/","title":{"rendered":"Remove Polyfill.io from your website"},"content":{"rendered":"

If your website uses the script from Polyfill.io, we recommend removing it ASAP: the service is sending malicious code<\/a> to your visitors. This article explains what Polyfill.io is for, why it\u2019s become dangerous to use, and what you should do about it if you do use it.<\/p>\n

What polyfills and Polyfill.io are<\/h2>\n

\nA polyfill is a piece of code that implements features otherwise unsupported by certain browser versions. This is typically JavaScript code that adds support for HTML5, CSS3, JavaScript API and other standards and technologies that spare web developers the headache of supporting exotic or outdated browsers. Polyfills saw their heyday in the 2010s as HTML5 and CSS3 gradually took over the Web.<\/p>\n

Polyfill.io is a service that helps automatically deliver polyfills that a browser requires for displaying a particular website.<\/p>\n

The service gained popularity both for its efficiency\u00a0(only the polyfills you need are loaded) and for its regular updates to the technologies and standards used. Straightforward implementation was a factor as well: all the developer needed to start using Polyfill.io was to add a short string to the website code in order to enable the service\u2019s script.<\/p>\n

Polyfill.io was originally created by the Financial Times web development team. In February 2024, the service, along with the associated domain and GitHub account, was sold to the Chinese CDN provider Funnull. It wasn\u2019t six months before trouble began.<\/p>\n

Malicious code from cdn.polyfill.io<\/h2>\n

\nOn June 25, 2024, researchers at Sansec discovered<\/a> that cdn.polyfill.io had begun to deliver malicious code to users of websites that used Polyfill.io. The code used a typosquatted domain pretending to be Google Analytics\u00a0\u2014 [code] www.googie-anaiytics.com[\/code]\u00a0\u2014 to redirect users to a Vietnamese sports betting site.<\/p>\n

\"The<\/a>

The malicious code redirected the users of compromised sites to a sports betting site written in Vietnamese<\/p><\/div>\n

According to the researchers, this wasn\u2019t the first time that Polyfill.io had been caught spreading malicious code. Those who had noticed the dangerous behavior earlier tried complaining<\/a> (archived link) in GitHub comments, but the new owners of Polyfill.io quickly removed all the criticisms (here\u2019s another example<\/a> from the Internet Archive).<\/p>\n

The potentially harmful script is allegedly present on more than 100,000 websites<\/a> \u2014 some of them rather big ones.<\/p>\n

Google Ads: one more reason to remove Polyfill.io<\/h2>\n

\nIn case visitors getting a malicious script doesn\u2019t sound too worrying, Google Ads is giving website operators a further valid reason to hurry up and get the problem fixed.<\/p>\n

Google\u2019s advertising service has suspended the display of ads linking to websites that spread malicious scripts from several services. Besides Polyfill.io, the list includes Bootcss.com, Bootcdn.net and Staticfile.org.<\/p>\n

\"<\/a>

A Google Ads suspension warning due to the website using a malicious script downloaded from Polyfill.io, Bootcss.com, Bootcdn.net or Staticfile.org. Source<\/a><\/p><\/div>\n

You\u2019d be wise to stop using the aforementioned services on your website, or else you risk losing traffic due to users being led away by the malicious scripts and because of Google Ads no longer promoting you.<\/p>\n

Protecting against the Polyfill.io attack<\/h2>\n

\nHere are a few steps to take about the attack:\n<\/p>\n