Adrian Johnson
TLDR:
- Over 110,000 websites have been affected by a supply chain attack involving the Polyfill.io service.
- Google has taken steps to block ads for e-commerce sites using Polyfill.io after a Chinese company acquired the domain.
In a recent report, it was revealed that more than 110,000 websites have been impacted by a supply chain attack involving the Polyfill.io service. This attack occurred after a Chinese company acquired the domain and modified the JavaScript library to redirect users to malicious and scam sites. The original creator of the project, Andrew Betts, has urged website owners to immediately remove the library, stating that no website today requires any of the polyfills in the library.
Cloudflare and Fastly have offered alternative endpoints to help users move away from Polyfill.io, as concerns have been raised about potential supply chain attacks. The Dutch e-commerce security firm, Sansec, found that the domain cdn.polyfill.io was injecting malware that redirected users to sports betting and pornographic sites.
Additionally, a critical security flaw impacting Adobe Commerce and Magento websites has been identified, allowing for the reading of private files and potentially leading to remote code execution. Despite fixes being available, many websites remain unpatched.
This supply chain attack serves as a reminder of the importance of ensuring the security of third-party services and the potential risks associated with trusting external domains with essential functions of a website.
