Recently, the cybersecurity landscape was shaken by a significant supply chain attack involving polyfill.io. This attack, impacting over 100,000 websites, exploited the trust placed in the polyfill.io service to inject malicious code into websites through compromised polyfill JavaScript. The malicious actors, believed to be operating from China, used this vector to perform redirection attacks, sending unsuspecting users to scam sites. In this article we provide our investigation and a responsible recommendation to our valued customers.
What is Polyfill
Polyfills are code snippets or scripts, typically written in JavaScript, that provide modern functionality to older web browsers that do not support certain features or APIs. They act as a “filler” or “patch” by replicating the functionality that is missing in older browsers, allowing developers to write code using modern web standards without worrying about compatibility issues with older browser versions. For example, if a new JavaScript feature is introduced in modern browsers but is not supported in older versions like Internet Explorer 11, developers can use a polyfill to ensure that the feature works correctly in all browsers. Polyfills help maintain consistency and usability across different browser types and versions, bridging the gap between older and newer web technologies.
Understanding Supply Chain Attacks
A supply chain attack targets the vulnerabilities within an organization’s supply chain, often through third-party services and resources. Modern web applications typically rely on numerous third-party resources for functionality. These resources, trusted by website owners, can access the entire web page, including sensitive information within the Document Object Model (DOM) and cookies. This trust can be exploited, as seen in the polyfill.io incident, to compromise web applications by injecting malicious code into legitimate third-party libraries.
Overview of the Polyfill.io Attack
Root Cause
The specific root cause of the Polyfill.io supply chain attack can be distilled into a few critical issues:
Malicious Takeover of Project Maintenance
A malicious actor gained control over the Polyfill.io project through an ownership transfer to a Chinese company named Funnull. This transfer gave them the ability to modify the codebase and distribute malicious updates. Soon after the acquisition, the new owners injected malicious scripts into the polyfill JavaScript, affecting over 100,000 websites by redirecting users to scam sites. This attack underscores the vulnerabilities of third-party scripts and the importance of rigorous security practices for web applications.
High Trust in Popular Open-Source Libraries
The widespread trust in Polyfill.io, given its popularity and perceived reliability, led developers to integrate it without sufficient scrutiny or additional safeguards. This high level of trust meant many users did not independently verify the integrity of the code they were including in their projects. To mitigate such risks, it’s recommended to use well-maintained packages from sources like NPM or host the package on a domain owned by the implementer. Additionally, using services like Google’s Assured Open Source Software allows organizations to benefit from Google’s significant expertise and resources, providing defense in depth.
Inadequate Monitoring of 3rd Party Dependencies
Many users did not implement rigorous monitoring or validation of 3rd party dependencies, relying instead on the assumption that such a popular library would be safe, despite its control lying entirely out of their hands. This left them vulnerable when the codebase was maliciously altered. The compromised code was then distributed through the usual channels of the Polyfill.io service, reaching a large number of websites that trusted and used this service.
dotCMS's Perspective on the Polyfill Attack
At dotCMS, we understand the complexities and risks associated with integrating third-party resources into web applications. The polyfill.io attack is a stark reminder of the vulnerabilities inherent in modern web development practices. The attack mainly used client-side techniques to target all browsers, making detection and mitigation challenging.
Our Response and Mitigation Strategies
To address and mitigate the impact of the Polyfill.io supply chain attack, we have implemented and recommend the following measures:
dotCMS Response
Regular Audits and Dependency Management: dotCMS regularly audit and update third-party dependencies using tools like docker scout, Dependabot, and OWASP Dependency-Check.
Content Security Policy (CSP): dotCMS configures CSP headers to restrict script sources.
JavaScript Monitoring: dotCMS conducts regular client-side security checks like penetration testing to monitor and analyze JavaScript execution in real-time. Additionally, our bug bounty program encourages security researchers to identify and report potential vulnerabilities, further enhancing our security posture.
Recommendations for Customers
For our customers, we recommend:
Runtime Application Self-Protection (RASP): To integrate RASP solutions to monitor and protect applications from within.
Code Reviews and Static Analysis: Use static analysis tools to scan codebases and third-party libraries for vulnerabilities.
Manual Code Reviews: Conduct regular manual code reviews to identify potential security issues.
Supply Chain Security Best Practices
Vendor Vetting: Thoroughly vet third-party vendors before integration.
Continuous Improvement: Stay informed about new supply chain security threats and continuously improve your security posture.
Lessons Learned and Best Practices
The polyfill.io attack underscores the importance of robust security practices in web development. Here are some key takeaways:
Regularly Audit Third-Party Resources: Conduct thorough audits of third-party libraries and services to ensure they are secure and up-to-date.
Implement Real-Time Monitoring: Use real-time monitoring tools to detect and respond to suspicious activities swiftly.
Adopt a Zero-Trust Approach: Minimize trust in third-party resources and validate their behavior continuously.
Educate and Train Developers: Ensure your development team is aware of the risks associated with third-party integrations and trained in secure coding practices.
Conclusion
The polyfill.io supply chain attack highlights the critical vulnerabilities that can arise from third-party dependencies in web development. At dotCMS, we are committed to providing our customers with robust security solutions to protect against such threats. By adopting best practices and leveraging advanced monitoring tools, we can collectively enhance the security and integrity of our web applications.
Stay informed and stay secure. For more insights and updates, follow dotCMS on our blog and social media channels.