Polyfill Supply Chain Attack: What It Is and How to Know If You’re Affected

Here’s what you need to know about the progression of the Polyfill supply chain attack and how to respond. 

Overview of Polyfill Supply Chain Attack 

On June 25th, 2024, researchers at Sansec disclosed a supply chain attack affecting the polyfill.io content delivery network domain. This domain distributes the open-source polyfill.js library, which increases the compatible feature set of older browsers. In February 2024, the Chinese company Funnull acquired the polyfill.io domain. Sometime after that, the polyfill.io CDN began distributing malicious code in the Polyfill library. This added code redirects users to potentially harmful scam sites and is designed to activate selectively to avoid detection. 

On June 27th, Sansec updated the disclosure and said: “Cloudflare has implemented real-time rewrites of cdn.polyfill.io to their own version. A little later, Namecheap has put the domain on hold altogether, which eliminates the risk for now. However, you are still recommended to remove any polyfill.io references in your code.” 

How to Know If You’re Affected by the Polyfill Supply Chain Attack 

If your sites or applications use the polyfill library from the polyfill.io CDN instead of a self-hosted polyfill service or the Cloudflare or Fastly alternatives, you may be affected. A quick baseline check you can do is to search your code bases for the references to the domain polyfill.io.  

The Veracode Vulnerability Database was updated to include the first documented NIST NVD of CVE-2024-38526. This vulnerability will be found in a Veracode Software Composition Analysis (SCA) scan wherever it is in your workflow—the CLI, the pipeline, or your IDE. This initial CVE is for one library that uses Polyfill, and we face a likelihood that in the coming days additional CVEs will be published for other libraries that include references to polyfill.io. 

Given the way this attack has been implemented, a combination of SCA and Dynamic Analysis will be the most effective way to detect any vulnerabilities related to Polyfill. Veracode Dynamic Analysis and DAST Essentials can test whether your web application sends requests to polyfill.io and if your data is at risk. 

Next Steps 

Veracode Researchers continue to analyze the polyfill domain, and the Veracode Vulnerability Database will be updated as more affected open-source libraries are discovered and documented in CVEs, providing you with ongoing support and reassurance. 

To learn about supply chain security beyond the NVD, check out our recent blog, Veracode Customers Shielded from NVD Disruptions. 

You can get a free trial of DAST Essentials here to help protect your software supply chain.