What to do when your CDN turns malicious
Important Information:
- On June 25, 2024, the cdn.polyfill.io domain began injecting malware into the popular polyfill.js library, which was utilized by over 100,000 sites.
- Cloudflare took action on June 26 by automatically redirecting requests from cdn.polyfill.io to their secure mirrored version of the library. More details can be found here.
- From June 27 onwards, Invicti products now feature specialized security checks to alert users of any usage of polyfill.io in applications.
- Although the polyfill.io domain has been shut down (with the possibility of still being cached), there is currently no immediate threat. However, as a precaution, websites and applications that loaded scripts from polyfill.io should remove them, as the domain is now considered malicious.
- To protect against future attacks, it is recommended to utilize the Subresource Integrity (SRI) feature when loading external dependencies.
The intriguing saga of polyfill.io
The Polyfill project, an open-source initiative created a decade ago, aimed to streamline the incorporation of polyfills for website and web application development. In February 2024, the polyfill.io domain was acquired by a dubious company called Funnull, likely of Chinese origin. Reports surfaced of cdn.polyfill.io injecting malware into mobile devices, but any negative feedback was swiftly removed from the GitHub repository.
The impactful supply chain attack was disclosed on June 25th, with cdn.polyfill.io introducing harmful code into websites that utilized scripts from this domain. It was discovered that over 100,000 sites were unintentionally loading corrupted polyfills, resulting in the dissemination of malware to browsers. Leading providers such as Google and Cloudflare responded promptly to address the threat. Cloudflare, in particular, had harbored suspicions regarding the new proprietors of polyfill.io and had established its own version of the Polyfill repository. When the attacks commenced, Cloudflare initiated the redirection of requests from cdn.polyfill.io to its safe repository. Both Cloudflare and Fastly have been offering secure mirrors of Polyfill since February.
As of the present moment, the polyfill.io domain has been entirely deactivated by its operator, eliminating the immediate risk of attack and allowing time to eliminate any mentions of cdn.polyfill.io from applications that loaded scripts from that domain.
Polyfills are scripts (typically JavaScript sourced from the web) that offer modern functionality to older browser versions lacking specific features. While once popular for addressing cross-browser compatibility limits, they are less relevant with modern browsers adhering to standardized specifications. The original creator of the Polyfill project has discouraged their use for years, deeming them unnecessary and potentially risky.
A new perspective on the web application supply chain
“The Polyfill event underscores the intricate and vulnerable nature of the web application security supply chain, especially in the JavaScript realm on the client side,” remarked Dan Murphy, Chief Architect at Invicti Security. “What sets this incident apart from similar high-profile attacks is that malicious entities gained control of a widely embraced project instead of covertly exploiting a vulnerability amidst the intricate web of dependencies.”
With numerous scripts now loaded through content delivery networks to enhance performance, CDNs represent another link in the supply chain and thereby a potential target. Without mechanisms for verifying if a dependency has been tampered with, users essentially place their application security in the hands of the CDN provider.
Leveraging Subresource Integrity for preemptive defense against future Polyfills
Fortunately, there exists a sophisticated browser feature that can shield you in the event of an attacker seizing control of a dependency’s CDN: Subresource Integrity (SRI) verification. Most contemporary websites operate with distinct library versions, sticking to an imported version unless an upgrade is preferred. Similarly, once published, a version remains unchanged. Any alterations typically lead to a new version. In essence, once a file is integrated into your application, it should remain unaltered—if modifications occur, there may be suspicious activity.
Enter the Subresource Integrity browser feature, allowing you to ensure that a resource retains its original state since its inclusion in your application. Utilizing SRI entails generating a hash (sha256, sha384, or sha512) of the loaded file, with online utilities available to automate this process for you. Subsequently, insert the hash into the integrity attribute of your script or link tag, similar to this sha384 example for jQuery:
<script src="https://code.jquery.com/jquery-2.1.4.min.js" integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" crossorigin="anonymous"></script>Once implemented, the resource will load normally. However, any alterations on the server end, such as the addition of malicious code, will cause the stored hash to differ from the incoming script or stylesheet, leading browsers to deny loading the resource. This safeguard not only defends against malicious tampering but also mitigates CDN-related issues like misconfigurations that could impact website functionality while being challenging to troubleshoot.
Enhanced security checks in Invicti products for SRI validation and Polyfill detection
Invicti products now feature checks to alert users in instances where a site lacks Subresource Integrity (unimplemented SRI categorized as Best-practice severity or Informational severity equivalent to Acunetix) or when an existing SRI hash is incorrect (invalid SRI hash, Low severity.)
Both Acunetix and Invicti products have integrated specialized security checks to identify any uses of polyfill.io in scanned websites and applications. These checks are accessible in all Acunetix editions (excluding Acunetix 360), while users of Invicti and Acunetix 360 can enable these custom checks by reaching out to support.
