Submission + - Polyfill.io Supply Chain Attack (qualys.com)
protehnica writes:
The polyfill.js is a popular open-source library that supports older browsers. Thousands of sites embed it using the cdn[.]polyfill[.]io domain. In February 2024, a Chinese company (Funnull) bought the domain and the GitHub account. The company has modified Polyfill.js so malicious code would be inserted into websites that embedded scripts from cdn.polyfill[.]io. Any script adopted from cdn.polyfill[.]io would immediately download malicious code from the Chinese company’s site. Some of the known outcomes are:
- user would be redirected to scam sites,
- allows an attacker to steal sensitive data,
- potentially perform code execution.
