Polyfill.io and Software Supply Chain Security: A Cautionary Tale

Over 100,000 websites using a popular JavaScript service (polyfill.io) are now victims of a web supply chain attack. A web supply chain attack is a cyberattack is a type of software supply chain attack that targets a third-party web software component to gain access to an organization’s systems or data. These attacks can be difficult to prevent because they can be hard to detect, take advantage of trust, and have long-lasting effects. 

The attack stemmed from the takeover of a distribution repository. This past February, the Chinese company Funnull took ownership of cdn.polyfill.io, a domain hosting the polyfill.js JavaScript library. Polyfill.js is a widely used library integrated into many well-known web applications and is used to support older browsers

The attack is automatically deployed on websites that contain embedded scripts from cdn.polyfill.io, where it uses dynamically generated payloads to redirect users to malicious sites and can potentially steal data. 

ICANN-accredited registrar Namecheap took down the domain on June 27 due to  multiple reports of malicious activity, eliminating the immediate risk. However, it is still recommended that any polyfill.io code references be removed.

There are several write-ups of the malware itself, including this one from Sansec. This post will use the polyfill.io example to illustrate how to avoid this type of web supply chain security risk.

Software Supply Chain Security in a Nutshell

The analyst firm Gartner provides a succinct definition: “Software supply chain security (SSCS) is the set of processes and tools used to curate, create and consume software in ways that mitigate attacks against software or its use as an attack vector. Curation focuses on assessing risks of third-party software and assessing its acceptability. Creation focuses on secure development and the protection of software artifacts and the development pipeline. Consumption validates integrity of software through verification, provenance and traceability.” 

Put more simply, it’s all the software you use and build into your software, plus how your developers write code and monitor the code after it’s deployed. SolarWinds is probably the biggest known example of a software supply chain attack to date. Over 18,000 organizations were impacted, with some reports stating the attack cost those affected 11% of their revenue on average. Gartner estimates the cost of supply chain attacks will grow from $40 billion in 2023 to $138 billion in 2031. This is a big number that underlines the importance of supply chain security. As an example, the U.S. government has started asking its suppliers to include a software bill of materials (SBOM) from its suppliers. 

There are many aspects to creating a software supply chain security program. 

• Scan third-party code using a source code analysis (SCA) tool. 
• Enforce strong authentication on all internal software repositories to prevent unauthorized access. 
• All code needs to be scanned by static application security testing (SAST) and dynamic application security testing (DAST) before deployment into production. 
• Scan running code for web supply chain attacks in production

There’s much more detail to what organizations need to do pre-deployment. The rest of this blog will focus on what happens to code that’s already been deployed when web supply chain-delivered malware is identified.

Open Source Repository Takeovers

When an unknown or untrusted person or organization takes over a code repository or distribution site, the risks are obvious. Polyfill was an interesting case in that the repository wasn’t attacked or compromised; it was sold, and the library was manipulated under new ownership. 

Open-source libraries are particularly vulnerable to these types of takeovers as the original authors move on or lose access to their work. A recent study by Synopsys found ninety-six percent of total codebases contain open source components – illustrating the potential impact of this issue.

Trusting open-source distributions involves a combination of due diligence, community engagement, and technical verification to ensure that the software is secure, reliable, and suitable for your needs. Common approaches include examining project maturity and popularity, reviewing the license and checking update frequency. You want a well-maintained, well used distribution that has the minimum functionality required.

How CyCognito Detects Polyfill.io

CyCognito identifies technologies (including third-party components like polyfill.io) used on websites and web applications. These are represented in the platform as common platform enumeration (CPE) services. Here’s how you do it.

Step 1: Search for an Instance of polyfill.js library 

CyCognito users can search their external attack surface for web applications that utilize polyfill using our advanced search feature. Organizations looking for polyfill.io instances simply run the filter “service contains ‘polyfill.js’ as shown in Figure 1 below. CyCognito’s AI search feature can also be used, letting users enter the request in spoken English like “show me which web apps use polyfill.js.”

Figure 1. An Advanced Search filter that finds instances of polyfill.js

Step 2: Review Details on Polyfill.js Usage

Once web application assets that include polyfill.js are found, CyCognito users can review details, including ownership, location, and whether additional risk is present, as shown in Figure 2. Assets are shown by default in order of severity, i.e., security grade.

Figure 2. Details on all assets that contain polyfill.js are displayed

Step 3: Create Tickets for Web Application Remediation Teams

Users can then send a list of identified assets through integration to a SIEM or ticketing systems.  CyCognito includes remediation steps in the ticket as shown in Figure 3.  

Figure 3. An example remediation ticket created in Splunk shows details and remediation steps.

Step 4: Validate Assets 

Once the ticket is closed, an API call will be sent to the CyCognito platform where a validation step is taken to ensure the asset no longer contains polyfill.io code. 

Reach out to See how CyCognito Helps Your Respond to Your Software Supply Chain Security Issues

Software supply chain security issues are becoming more prevalent. Organizations need to actively track web application objects in use to gauge potential risk and respond efficiently.  Web applications are particularly vulnerable because they rely on many components that can be compromised, including third-party libraries and open source software. CyCognito helps mitigate these risks by allowing visibility into what third party pre-built code exists in your attack surface.  

Schedule a demo to find out how CyCognito can help you detect polyfill.io across your attack surface.