Google has taken steps to block ads for e commerce sites that use Polyfill.io service after Chinese company acquired the domain and modified the Javascript library to redirect users to scam and malicious sites.
Polyfill is famous library that incorporates help for functions in web browsers. China based content delivery network CDN company Funnull.
Over 110,000 sites that embed the library are affected by supply chain attack. Sansec add in Tuesday report.
The development urges web infrastructure providers Fastly and Cloudflare to offer other endpoints to assist users move away from polyfill.jo.
The original creator of the project Andrew Betts said website owners to remove it urgently no website today requires any of polyfills in the polyfill .jo library.
Most features add to web platform are adopted by mega browsers with few exceptions that can not be polyfilled anyway like Web Bluetooth and Web Serial.
Such an attack occur if underlying third party is compromised or changes the code being served to end users in bad method causing all websites using tool to be compromised.
The code has protection against reverse engineering and only activates on special mobile devices at special hours.
It does not activate when it detects an admin user. it delays execution when web analytics services is found presumably not end up in stats.
San Francisco based c/side has issued an alert of its own domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8 2024.
The Dutch e commerce security firm said domain “cdn.polfill.jo” has caught injecting malware that redirects user to sports betting and pornographic sites.
The findings follow an advisory about security flaw impacting Adobe Commerce and Magento websites that continues to remain unpatched despite solution available since June 11 2024.
It has emerged that 3rd parties can gain API admin reach without requiring a Linux version vulnerable to iconv issue making it more dangerous.
Polyfill.io is used by academic library JSTOR , World Economic Forum and Intuit.
Since February “this domain was caught injecting malware on mobile instrument through sites that embeds cdn.polyfill.io Sansec said.
The polyfill code is generated based on the HTTP headers so various attack vectors are likely. Sansec added.
Sites that embed poisoned scripts from polyfill.io and alss bottcss.com may end up unexpectedly redirecting visitors away from intended location and send them to malicious sites Goof told advertisers.
Google has started blocking Google Ads for websites that use impacted code to decrease traffic to them and cut number of potential victims. Affected site owners have been alerted by internet giant.