The recent discovery of a website supply chain attack using the cdn.polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become the epicenter of a significant website supply chain attack. As of this writing, it is estimated that this attack has targeted over 100,000 websites, including well-known brands.
At Imperva, we recognize the significance of safeguarding against these attacks, which can potentially jeopardize the security of entire websites and their users. Upon learning about the alarming nature and scale of this attack, we promptly took action to guarantee the safety and security of our customers and their users.
How the Attack Unfolded
Funnull, a Chinese company, has acquired the domain polyfill[.]io. Following the acquisition of the domain, Funnell began inserting malicious code into scripts served to end-users. So far, over 100,000 sites have been impacted. When developers included the cdn.polyfill[.]io scripts in their websites, the code was fetched directly from the site owned by Funnull.
This code dynamically generates payloads based on HTTP headers, specifically targeting mobile devices, evading detection, avoiding admin users, and delaying execution. The malicious scripts often include a fake Google Analytics link, redirecting users to various inappropriate, scam, or phishing websites, which could lead to data theft.
The malicious domains used advanced evasion tactics, including protections against reverse engineering, activating only on specific mobile devices at certain times, and avoiding execution when admin users or web analytics services are detected.
While the polyfill[.]io domain has been suspended by its registrar and can no longer redirect users to malicious sites, we believe it is still important to remove all related scripts to maintain security best practices.
Immediate Response from Imperva
Our Client-Side Protection solution swiftly identified which customers and specific websites had these compromised domains in their codebase. Imperva Client-Side Protection helps detect such threats and provides immediate action to mitigate risks. If you are an Imperva customer currently using Client-Side Protection with Instant Blocking enabled, you are protected from this attack. For Client-Side Protection customers who don’t have this feature enabled, you can find a quick guide on how to turn it on here.
How You Can Protect Your Website
- Onboard to Imperva Client-Side Protection: Gain visibility and control into all domains and scripts on your client-side by onboarding to Client-Side Protection. This visibility empowers you to proactively manage and monitor your website’s components, ensuring that any potentially malicious domains can be identified and addressed promptly.
- Catalog Your Domains: Maintain a catalog of all domains used in your client-side code to facilitate rapid response to security threats. By maintaining an updated list of these domains, you can respond swiftly if a malicious domain is discovered in the future. This proactive approach allows you to mitigate risks promptly and protect your users effectively.
- Check Your Codebase: Review your website’s client-side code to identify any instances of Polyfill[.]io, cdn.polyfill[.]io, or www.googie-anaiytics[.]com.
- Remove the Domains: Once identified, immediately remove these domains from your codebase and replace them with secure alternatives.
- Set Up Alerting: Stay informed about newly discovered domains by turning on alerting through email, SIEM, or public APIs.
For Imperva customers not currently using Client-Side Protection, start a free trial today to discover if your site is vulnerable.
Our Commitment to Security
As a proactive measure, our support organization is actively working with the Client-Side Protection engineering team to notify and assist all customers identified on the list of compromised domains. Our goal is to ensure that every website owner understands the urgency of removing these domains to protect their users and maintain the integrity of their online presence.
Ensuring the security of your website and its visitors is crucial. Proactively removing and replacing compromised domains protects your users and maintains your reputation as a trustworthy online presence. Imperva is dedicated to supporting our customers through this process, and we encourage immediate action to mitigate potential risks. Together, we can defend against threats and foster a safer digital environment.
Protecting Against Malicious Client-Side Scripts with Imperva Client-Side Protection
Imperva Client-Side Protection prevents data theft from client-side attacks like formjacking, Magecart, and other online skimming techniques that often exploit vulnerabilities in the website supply chain. It mitigates the risk of your customers’ most sensitive data landing in the hands of bad actors, resulting in devastating, costly data breaches.
By providing clear visibility with actionable insights and easy controls, Imperva empowers your security team to effortlessly determine the nature of each client-side resource and block any unapproved ones. Imperva Client-Side Protection also ensures your organization meets the latest compliance standards, including those in PCI DSS 4.0. Leveraging Imperva’s advanced capabilities, you can safeguard your digital assets against sophisticated supply chain attacks, ensuring your customers’ data remains secure and your business operations uninterrupted.
Try Imperva for Free
Protect your business for 30 days on Imperva.