Submission + - Polyfill.io Supply Chain Attack (qualys.com)

Submitted by protehnica on Friday July 05, 2024 @02:35AM

protehnica writes: The polyfill.js is a popular open-source library that supports older browsers. Thousands of sites embed it using the cdn[.]polyfill[.]io domain. In February 2024, a Chinese company (Funnull) bought the domain and the GitHub account. The company has modified Polyfill.js so malicious code would be inserted into websites that embedded scripts from cdn.polyfill[.]io. Any script adopted from cdn.polyfill[.]io would immediately download malicious code from the Chinese company’s site. Some of the known outcomes are:

user would be redirected to scam sites,
allows an attacker to steal sensitive data,
potentially perform code execution.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Polyfill.io Supply Chain Attack

Load All Comments

Search 0 Comments Log In/Create an Account

Comments Filter:

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

"They that can give up essential liberty to obtain a little temporary saftey deserve neither liberty not saftey." -- Benjamin Franklin, 1759

Submission + - Polyfill.io Supply Chain Attack (qualys.com)

Polyfill.io Supply Chain Attack More Login

Polyfill.io Supply Chain Attack

Slashdot Top Deals

Slashdot