Polyfill security risk

[Gabriel Torres]

Hi Team,

I got the email below from CloudFlare. I am not sure whether this applies to the IPS software or not. Thanks.

Quote

Dear Customer,

A website under your account is loading JavaScript libraries from a third-party service called polyfill{.}io. This service has been observed serving malicious content.

To reduce the risk of your users loading malicious code, we strongly advise you remove any links to the polyfill{.}io domain by replacing them with an alternative service such as https://cdnjs.cloudflare.com/polyfill/. You can also use Page Shield, our client side security solution, to identify which pages are serving links to the library – here is how to get started.

polyfill{.}io is a popular JavaScript library service used by many thousands of sites across the Internet. Cloudflare and its customers are not specific targets.

In February 2024, the polyfill{.}io domain was transferred to a new owner, which raised concerns. Cloudflare stood up an alternative service to address those concerns, described in our blog post. A report just released by Sansec on June 25, 2024, disclosed that the entity now running the polyfill{.}io service had injected malware into JavaScript libraries hosted under the domain. Examples of URLs which have been serving the malicious code include:

https[:]//polyfill(.)io/v3/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v2/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v3/polyfill.min.js
https[:]//polyfill(.)io/v3/polyfill.js
https[:]//cdn(.)polyfill(.)io/v2/polyfill.js
https[:]//cdn(.)polyfill(.)io/v1/polyfill.min.js
https[:]//polyfill(.)io/v2/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v3/polyfill.js
https[:]//polyfill(.)io/v2/polyfill.js

We will provide additional updates as available.

Thanks,
The Cloudflare Team

 

[teraßyte]

I just ran a grep on the 4.7.17 files, but there are no references to that domain in any file.

If CloudFlare detected it on your site, it must be coming from another script. Or maybe a 3rd party modification you're using.

[Gabriel Torres]

Thanks @teraßyte. I did the same thing here, with the same result. As we have advertisements through Google AdSense and similar partners, that domain is probably being called by an ad. I am still investigating this further.

[teraßyte]

Okay, I found out what is going on thanks to an email from Google. It seems some of their Google Maps JS (?) was also using polyfill.io:

Quote

What happened
We have become aware of a security issue that may be affecting websites using specific third-party libraries (including polyfill.io). This issue can sometimes redirect visitors away from the intended website without website owner knowledge or permission, or potentially cause other malicious behavior. Many of the Maps JavaScript API samples in the Developer Documentation previously included a polyfill.io script declaration. We have removed this from those samples. If you have used the Maps JavaScript API samples that contain this declaration, we recommend removing the declaration.

 

The text doesn't explicitly say they were using it too (only examples), but nothing else comes to mind since I don't use that JS library on my site, either. 🙄

Edited June 28 by teraßyte

[sadams101]

I got this warning as well, do we need to do anything? I do use google maps, and I also don't see anything on my site that calls polyfill.io.

[Jim M]

5 minutes ago, sadams101 said:

I got this warning as well, do we need to do anything? I do use google maps, and I also don't see anything on my site that calls polyfill.io.

Google is sending it out to all it's customers who use Maps and other examples due to their examples included it. If you're using the integration which comes with the software, we do not implement it.

[SoloInter]

We get that too :

 

 

Because of these API :

 

 

 

 

Because of this :

 

 

I will check that later (or maybe never).