Polyfill, Cloudflare trade barbs after reports of supply chain attack threatening 100k websites

Tech giant Cloudflare urged customers to remove a popular open source library used to support older browsers after reports emerged this week that the tool is being used to distribute malware.

Polyfill, which is used by more than 100,000 websites, bridges compatibility gaps between modern code and older browsers.

But on Wednesday, researchers at cybersecurity firm Sansec said in a report that Chinese company Funnull bought the polyfill.io domain and took control of its Github account. 

“Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed from the Github repository,” Sansec said. 

The report notes that the original polyfill author, Fastly developer Andrew Betts, warned in February that anyone using it should remove it immediately, explaining that he never owned the domain name and had no influence over its sale. 

If your website uses https://t.co/3xHecLPXkB, remove it IMMEDIATELY.

I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI

— Andrew Betts (@triblondon) February 25, 2024

Since the blog post was published, Cloudflare executives released their own statement saying polyfill “can no longer be trusted and should be removed from websites.” Cloudflare CEO Matthew Prince warned that “tens of millions of websites (4% of the web) uses polyfill.io.”

Cloudflare said it has received multiple reports and conducted its own investigation corroborating Sansec’s findings, confirming that “the polyfill service was being used, and could be used again, to inject malicious JavaScript code into users’ browsers.” 

“This is a real threat to the Internet at large given the popularity of this library,” Cloudflare said, adding that it has released a tool that websites can switch to that will “avoid breaking site functionality while mitigating the risk of a supply chain attack.” 

Cloudflare leaders also disputed claims made on the polyfill.io website that they recommended the service or allowed the company to use their name on the website. They said polyfill has ignored their requests to remove their name from the website and remove the false statements. 

This refusal to respond is “yet another warning sign that they cannot be trusted,” they added, urging websites to find alternative solutions to the tool. As of Thursday afternoon, the polyfill website currently does not load.

Cloudflare’s concerns about polyfill date back to Betts’ comments in February, which prompted them to create their own versions of the service. Concerns about supply chain attacks were realized this week, when Sansec said it found one strain of malware using polyfill to redirect mobile users to a sports betting site using a fake Google analytics domain.

Cloudflare conducted its own investigation and confirmed that “malicious activity was active and associated with polyfill.io.” Cloudflare provided instructions on how website owners can remove polyfill. 

On social media, the person behind polyfill’s X account published multiple messages about the fiasco, denying the reports of a supply chain attack. 

“Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize [sic] our own reputation,” the account said. 

In a follow-up message on X, they called Cloudflare’s blog “baseless, and malicious defamation” and claimed Cloudflare is “suppressing competition before promoting their own products is deplorable.”

Researchers directed Recorded Future News to concerns raised about polyfill on GitHub that were deleted and scrubbed from the polyfill page. GitHub said it is investigating the issue. 

Open Source concerns

Sarah Jones, cyber threat intelligence research analyst at Critical Start, warned that polyfill's widespread adoption across various industries — including e-commerce, finance, media and entertainment, and healthcare — “provides a vast network of websites for malicious actors to exploit.”

Jones noted that the incident highlights the inherent vulnerability of relying on the security practices of third-party open-source maintainers.

The polyfill situation comes just months after two incidents highlighted the difficulties facing the open source community. In April, security researchers stopped a “credible” takeover attempt of the OpenJS tool. One month before that, experts found malicious code being embedded in a popular Linux tool known as XZ Utils.

Both incidents spotlighted the urgent need to address weaknesses in the management of open source software. In the XZ Utils situation, malicious actors preyed on an exhausted maintainer to get access to the project and with OpenJS, the hackers repeatedly contacted maintainers demanding they be designated as a new maintainer of the project.

Federal cybersecurity officials said at the time that the incidents highlight “a fundamental shift needed: every technology manufacturer that profits from open source software must do their part by being responsible consumers of and sustainable contributors to the open source packages they depend on.” 

Experts, government officials and the Open Source Security Foundation have since announced a slate of potential measures designed to avoid situations like what was seen with polyfill, XZ Utils and OpenJS — and some have floated a concepts like a “retirement home” where open source projects can be transferred to the control of trusted parties. 

Critical Start’s Jones said organizations need to implement stricter vetting procedures for adopted libraries and prioritize regular security audits to mitigate such risks. 

“Additionally, developers need to be more vigilant when integrating third-party code into their projects. The open-source community must prioritize collaboration and transparency to ensure the continued integrity and security of this vital software development resource,” she said.