Polyfill.js is open-source code that websites once used to support outdated browsers. This week, Sansec researchers warned that over 100,000 websites using Polyfill JS code are open to malicious attacks. 

Organizations that use any code from the polyfill.io domain in their websites should immediately remove it. 

What happened?

Polyfill.io offers polyfills—useful bits of JavaScript code that add functionality to older browsers built into newer versions. These can make life easier for developers because they know their web code will work across a wider range of browsers.

Researchers discovered that websites using Polyfill code are generating malicious activities based on the site’s Hypertext Transfer Protocol (HTTP) headers and allow for multiple attack types. Malicious code is hidden in those scripts, meaning anyone who visits a website using the domain will run the malware, including some scripts redirecting traffic to sports betting and pornography websites. 

This comes after a reportedly Chinese company bought the open-source site in February. The project's creator also publicly alerted users earlier this year not to use the service going forward as a precaution following the change in ownership.

Remove Polyfill mentions from code immediately 

Coalition recommends immediately removing all mentions of Polyfill from your website and code. Cloudflare’s CEO said approximately 4% of the entire internet uses Polyfill.io. 

If you still need the service, both Fastly and Cloudflare have issued trustworthy alternatives. 

If the malware has already affected your website, follow these steps to remove it from your systems. 

The impact of open-source security concerns

Earlier this month, Coalition Security Labs published a blog on vulnerability management following the discovery of a backdoor in XZ Utils, an open-source compression library available for Linux. 

In the case of XZ, we got lucky. A researcher discovered the backdoor before attackers could add malicious versions to production. Coalition advised businesses to address common stumbling blocks in the vulnerability management process. 

Now, Coalition is seeing an open-source security concern come to fruition, impacting a significant portion of the internet and well-known organizations like JSTOR and the World Economic Forum. 

Unlike other supply chain attacks, this wasn't meant to directly attack the company using the library but, instead, anyone visiting the websites. It enabled widespread distribution of the malicious content.

Going forward

Time is of the essence when it comes to security risk management. To ensure we stay ahead of the latest emerging threats, Coalition constantly collects security data by scanning the entire IPv4 space and parts of the IPv6 space, tracking new vulnerabilities, monitoring threat actor behavior with honeypots, and gathering intelligence from data leaks. 

We only send alerts for security concerns that present a real and immediate threat to businesses. This allows businesses to make good security decisions, such as removing vulnerable technologies from their digital ecosystem.

Coalition notified policyholders of this active security concern in Polyfill, and its Security Support Center is standing should any policyholders need assistance in mitigation. Additionally, you can implement Subresource Integrity to all CDN-delivered Javascript to protect against unexpected modifications.

Activate your Coalition Control® account to view additional alerts on emerging risks that may impact your organization. 

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. ("CIS"), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.