Skip to content

Polyfill.io JavaScript supply chain attack impacts over 100K sites

Polyfill.io JavaScript supply chain attack impacts over 100K sites
Over 100,000 sites have been impacted in a supply chain attack by the Polyfill.io service after a Chinese company acquired the domain and the script was modified to redirect users to malicious and scam sites.

Table of Contents

Over 100,000 websites have been affected by a supply chain attack on the Polyfill.io service, which was acquired by a Chinese company earlier this year. The script was modified to redirect users to malicious and scam sites. The attack has impacted websites that embedded the cdn.polyfill.io scripts, pulling code directly from the Chinese company's site. Google has issued a warning to advertisers about the malicious code and potential redirects, and has begun notifying advertisers about the supply chain attack. The code causing these redirects seems to be coming from a few different third-party web resource providers, including Polyfill.io. If Google finds these redirects during regular checks of ad destinations, they will disapprove the related advertisement. Cloudflare and Fastly have set up their own mirrors of the Polyfill.io service to reduce the risk of potential supply chain attacks.

Source

Latest