Abstract
This article explains how attackers or threat actors exploit trust in a supply chain environment to perform their malicious activity. The domain Polyfill[.]io was acquired by the Chinese company named Funnull in February 2024. The domain was hosted on multiple CDNs throughout the world to maximize the efficiency of delivering requirements as fast as possible. Apparently, a user mentioned in his comment, that how he was able to find a vulnerability in polyfill.io dependencies that were being delivered by Funnull’s CDNs. This Report however was deleted by the owner of the polyfill[.]io GitHub repository page. This led to a thorough investigation and later on 27th June 2024, it was announced that Funnull’s CDNs were distributing malware and exfiltrating data from all the users who visited the websites where polyfill was used. The estimate is that over 100,000 people have been affected by this vulnerability and the number is still growing.
What is Supply Chain Management?
A supply chain is the network of individuals, organizations, activities, and resources involved in the creation and sale of a product or service. It encompasses everything from the delivery of raw materials to the manufacturer, through to the final delivery to the customer.
In a digital plane, this supply chain translates to importing dependencies, and pre-built frameworks from other providers. This helps to make development and deployment fast and smooth. To make it secure for companies, organizations form business agreements, providers need to be regulatory compliant and need to pass the audit without any faults.
What is Polyfill?
A polyfill is a piece of code (usually JavaScript on the Web) used to provide modern functionality on older browsers that do not natively support it.
For example, a polyfill could be used to mimic the functionality of a text-shadow in IE7 using proprietary IE filters, or mimic rem units or media queries by using JavaScript to dynamically adjust the styling as appropriate, or whatever else you require
It is a workaround that helps javascript developers streamline their development process through one API, polyfill helps translate the new features for old browsers. It acts as a shim between predated browsers and the latest internet implementation. As of now polyfill is not required for any of the browsers, but many service providers still depend on it.
Vulnerability used by Polyfill
Polyfill is a service provided by many CDNs (content delivery networks) like Cloudflare, Amazon CloudFront, and Google Cloud CDN. Similarly, the domain Polyfill.io was on sale and was sold to Funnell a Chinese CDN, the issue was found when Polyfill was being delivered to the browser a network inspection found that the URL: https://cdn.polyfill.io/v2/polyfill.min.js would sham the first time user, who uses a phone, open a website through an ads ( google ads or facebook ) with this link, it will redirect user to a malicious website. This CDN specifically targeted mobile browser users, users who use their phones to access websites and perform daily internet tasks.
Following is the mechanism used to check whether the user is using a mobile phone or laptop/PC:
[1] When a website with the vulnerable polyfill is requested, it requests for dependency from the malicious CDN https://cdn.polyfill.io/v2/polyfill.min.js
[2] The request sent by the browser needs to satisfy the following conditions:
i. 1st-time request from unique IP address and user-agent.
ii. If the user-agent match that of a phone, refer from a reputable website that installed polyfill
iii. Accept /
iv. Accept-Encoding gzip,deflate,br,zstd
v. Delete all cookies
[3] This request returns original polyfill code with malicious code which will make a run javascript from https://www[.]googie-anaiytics[.]com/ga[.]js
[4] This was unnoticed for a large period of time, instead of going to google analytics it was redirecting users to malicious website googie analytics where they would harvest user credentials and PII.
[5] Following is a code snippet:
This code would run the following obfuscated javascript code: https://pastebin.com/hAgtHd70
This code hasn’t been fully decoded yet, there are some speculations according to other professionals (lowlevelcoding) and many more that this may exploit the javascript engine i.e. widely implemented v8 engine (Sandbox) this is written in c++, it translates (interprets) javascript code to basic assembly language that is then executed on the users machine. Inherently c++ is vulnerable to memory corruption, so the attacker can use the javascript to exploit memory corruption known or zero day vulnerability to escape v8 engine and run arbitary code on users machine.
Mitigations
[1] For supply chain management:
-
Regular Audits and Monitoring: Conduct regular security audits and monitor third-party services for unusual activity. Early detection can help prevent widespread damage.
-
Content Security Policy (CSP): Implementing a robust CSP can help restrict the sources from which scripts can be loaded, reducing the risk of malicious code execution.
-
Subresource Integrity (SRI): Use SRI to ensure that third-party scripts have not been tampered with. This security feature allows browsers to verify that a fetched resource matches the expected hash.
-
Dependency Management: Maintain strict control over dependencies (a feature of Sonatype Nexus Repository) and avoid unnecessary third-party scripts. Regularly update and review dependencies to ensure they are secure.
[2] For Browser side:
-
Disable javascripts if it is not required.
-
Updating browsers and being up-to-date.
-
Encrypting data at rest.
-
Prefer not to visit shady websites.
That is all folks !! ☺️
References
[1] https://github.com/polyfillpolyfill/polyfill-service/issues/2873 (Please be carefull while visiting this website)
[3] https://blog.redsift.com/news/understanding-the-polyfill-io-domain-attack/
[4] https://developer.mozilla.org/en-US/docs/Glossary/Polyfill
[5] https://lyra.horse/blog/2024/05/exploiting-v8-at-openecsc/