Legitimate websites have reportedly been compromised after a once useful polyfill[.]com-hosted Javascript code has been altered by its new owners, leading websites to unintentionally link users to malicious websites.
According to Ars Technica, the JavaScript code, which was available at polyfill[.]com for many years, was a respectable open-source project that enabled older browsers to perform sophisticated features that were not supported by default.
Websites may guarantee that material in newer formats could be rendered on devices running older browsers by including a link to cdn.polyfill[.]io. Because all websites needed to do was embed the link, the free service was well-liked by them. The polyfill website's code handled the remainder.
(Photo : NoName_13 from Pixabay)
In February, China-based Funnull purchased the JavaScript code's hosting GitHub account and domain. Researchers from the security company Sansec revealed on June 25 that modified code placed on the polyfill domain was redirecting users to websites with pornographic and gambling themes.
The code purposefully concealed the redirections, which only applied to visitors who satisfied predetermined requirements and only during specific hours of the day.
The disclosure sparked calls for action from throughout the business. Namecheap, the domain registrar, suspended the domain two days after the Sansec report was released.
This action effectively stopped the malicious code from operating on visitor devices. Even back then, content delivery networks like Cloudflare automatically substituted safe mirror sites for pollyfill links. Google prohibits ads for websites incorporating the Polyfill[.]io domain.
Read Also: Cloudflare Unveils Tool to Combat AI Scraping Bots
Original Author Asks to Take it Down
The domain was added to the website blocker uBlock Origin filter list. Additionally, Polyfill.io's original author, Andrew Betts, advised website owners to take down any connections to the library right once.
According to researchers from the security company Censys, 384,773 domains were still linked to the website on Tuesday, precisely one week after discovering fraudulent activity. Some websites belonged to well-known businesses, including Warner Bros., Mercedes-Benz, Hulu, and the federal government.
Recent Supply-Chain Attacks
The results highlight the potential of supply-chain attacks, which can infect a common source that thousands or perhaps millions rely on, spreading malware to a large audience.
A recent breach appears to have backdoored multiple WordPress plugins, granting hackers full access and other destructive capabilities to any website using these plugins. Supply-chain hacks are still a persistent issue for many websites.
Researchers from the security firm Wordfence claim that malicious code was introduced into five WordPress plugins, creating new administrative user accounts and transmitting the associated information back to an attacker's server under control.
Even though it was initially created as a blogging platform, WordPress has since changed to allow the publication of different types of digital content. The research stated that up to 36,000 websites are using WordPress plugins, and an unidentified supply-chain attack has backdoored them.
At the time, unknown threat actors were introducing malicious features to plugin upgrades on WordPress.org, the official domain for the open-source WordPress content management system.
Once deployed, the updates immediately establish an administrator account under the attacker's control, granting them total authority over the hijacked website. They also include material that has the potential to skew search results.
Related Article: DHS Identifies China as Top Cybersecurity Threat to US Infrastructure
