Urgent Alert for Developers: Polyfill.js Hijacked in Supply Chain Attack

Polyfill.js is an exceedingly popular third-party open-source library that enables websites to support older browsers, such as the antiquated Microsoft IE 6.0~10. The owner of this open-source library offers integration through cdn.polyfill.io, allowing developers to simply incorporate this JavaScript for compatibility. Currently, over 100,000 websites globally use this script.

Starting from February 2024, a company acquired the domain and Github account associated with this library and began to tamper with the script, causing users who enter websites containing this script via search engines to be randomly redirected to illegal sites.

Numerous developers have reported this issue on Github, but their feedback has been deleted. This act is not a hack but a deliberate action by the company now controlling the account, aiming to keep as many developers in the dark about the situation as possible.

To exploit as many end-users as possible, the Polyfill.js script employs various technical measures to avoid detection. For instance, it won't redirect when the website is accessed directly, only when entered through search engines like Google; it doesn't redirect when it detects website administrators; it has a delay in redirection to avoid analysis, and it performs random redirections to prevent being flagged.

This represents a classic example of a supply chain attack, where attackers poison widely used upstream software packages instead of the more labor-intensive and less effective method of hacking developer accounts. Hence, the company opted to purchase the domain and Github account directly, allowing them to act with impunity.

The developer of Polyfill.js has advised against its use on platform X, stating that modern browsers no longer require this outdated script. Without control over the domain and project, the original developer can do nothing.

This supply chain attack has caused significant turmoil in the internet sector, especially as many e-commerce websites have continued to use this script for compatibility with older browsers, thereby greatly expanding the attack's reach.

Web developers who are just now becoming aware of this issue should promptly remove Polyfill.js to avoid redirects to illegal sites, which could lead to complaints or other issues.

Finally, Google has taken note of this situation. The company is now actively blocking all websites that use Polyfill.js in its Google Ads advertising system, preventing these sites from using Google Ads to promote their content, which could inadvertently lead users to illegal sites.