The Polyfill.io website has been caught up in a supply chain attack, with the result that malicious JavaScript is now being supplied through the site.

Along with sites such as Bootcss and BootCDN, Polyfill has been compromised by threat actors and transformed into a malicious site. Typically, Polyfill was a treasure trove of JavaScript code which allowed the use of contemporary JavaScript functions in older browsers. The Polyfill domain was sold to a new firm at the start of 2024, and it appears the infected code was inserted into the JavaScript shortly after this. With Polyfill supplying JavaScript code to an estimated 110,000 websites, the potential for damage is high.

Understanding the Polyfill Attack

Unsuspecting web developers are downloading JavaScript code from Polyfill and incorporating it into their websites, under the understanding it will help their sites load in older browsers. However, the malicious JavaScript code now hosted on Polyfill does something very different. As JavaScript will be activated once a user loads an infected website, this means the malware is then downloaded to that user’s PC.

The main impact of this malicious JavaScript is a combination of data theft and clickjacking (where a user is tricked into clicking an element on a page). Some of the infected scripts also redirect users to malicious sites containing further malware, sports betting websites, and pornographic content. The attack has been significant, with notable victims affected including Intuit and the World Economic Forum.

The infected code has been difficult to analyze as security researchers have found it’s protected by high levels of obfuscation. By generating payloads which are specific to HTTP headers and only activating on certain devices, the malicious JavaScript has been difficult to pin down and examine. The attack has also been significant enough for Google to start banning Google Ads linking to the infected sites.

Protecting Your PCs from Polyfill

If your organization has used code from Polyfill.io in the past, it’s time to remove this code from your website. This is simplest and most effective way to minimize the threat to your visitors. Nonetheless, there’s much more you can do to stay safe from malicious websites:

  • Use Strong Firewall and Antivirus Solutions: you can protect against malicious websites by using comprehensive firewall and antivirus software, such as AVG and McAfee. These tools filter out harmful traffic, block access to known malicious sites, and detect suspicious activities. This combination of protection prevents malware infections and data breaches which can originate from unsafe web pages.
  • Employ DNS Filtering: access to malicious websites can be blocked at a network level by using DNS filtering services. By filtering out dangerous domains and websites known for malware distribution or phishing, these services provide an additional layer of security, preventing users from visiting harmful sites and protecting the integrity of your IT infrastructure.
  • Employee Education: training your employees to recognize phishing attempts, avoid suspicious links, and understand the importance of secure browsing habits is crucial. Regularly updated cybersecurity training programs ensure your staff can identify and avoid potential threats, reducing the risk of falling victim to malicious websites.

For more ways to secure and optimize your business technology, contact your local IT professionals.