Technology @lemmy.world 0x815 @feddit.org 3 days ago

The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites

sansec.io Polyfill supply chain attack hits 100K+ sites

The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.

The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository.

127

127 comments

that's not very nice to call javascript malware. i know it's bad but still.
My favourite part is that the developers that currently own it said:

Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached

https://github.com/polyfillpolyfill/polyfill-service/issues/2890#issuecomment-2191461961

Completely missing the point that they are the supply chain risk, and the fact that malicious code was already detected in their system (to the point where Google started blocking ads for sites that loaded polyfill .io scripts.

We don't even know who they are - the repo is owned by an anonymous account called "polyfillpolyfill", and that comment comes from another anonymous account "polyfillcust".
Wumao trolls incoming in 3..2...
Reposting my comment from Github:

A good reminder to be extremely careful loading scripts from a third-party CDN unless you trust the owner 100% (and even then, ownership can change over time, as shown here). You're essentially giving the maintainer of that CDN full control of your site. Ideally, never do it, as it's just begging for a supply chain attack. If you need polyfills for older browsers, host the JS yourself. :)

If you really must load scripts from a third-party, use subresource integrity so that the browser refuses to load it if the hash changes. A broken site is better than a hacked one.

And on the value of dynamic polyfills (which is what this service provides):

Often it's sufficient to just have two variants of your JS bundles, for example "very old browsers" (all the polyfills required by the oldest browser versions your product supports) and "somewhat new browsers" (just polyfills required for browsers released in the last year or so), which you can do with browserslist and caniuse-lite data.
This is why ublock origin is an essential security tool.
Whichever editor let them post "100 thousand" should be spanked one 100 times with the severed hand of whatever asshole wrote it in the first place.
nah. over 100k sites ignored dependency risks, even after the original owners warned them this exact thing would happen.

the real story is 100k sites not being run appropriately.
What's the malware do?
poly fill indeed
Man, the Chinese are becoming a new major nuisancec on internet.
That GitHub "archive here" link leads to a page where it hasn't been archived... (or was the archive removed??).
Again?
This is probably connected to China cloning the entire GitHub website to their own servers.
nice fake article
Noscript would fix this issue... Deny most of that shit and internet still works... Mostly

You've viewed 127 comments.