The Web Ecosystem Between Vulnerability and Resilience: The Case of Polyfill.io
Downloads
This report addresses the Polyfill.io security incident, analyzed as a case study to demonstrate the impact that poor management of external dependencies can have on the resilience of the modern web ecosystem. The Polyfill.io case represents one of the most extensive external dependency compromises in recent history, affecting over 100,000 websites through sophisticated mechanisms for injecting malicious code via compromised CDN infrastructure. The analysis reveals how a supposedly harmless JavaScript library, used for cross-browser compatibility, was hijacked and exploited as a global attack vector. The study investigates the mechanisms by which the polyfill.io domain was taken over and used for the conditional distribution of malicious code. Through comparative analysis with other major supply incidents chain (SolarWinds, Log4Shell, XZ Utils), the paper identifies the unique features of the Polyfill.io case - including the passive nature of the compromise, the almost instantaneous speed of propagation, and the unprecedented diversity of victims. The results of the analysis reveal the importance of implementing strengthened security measures for managing external dependencies, such as systematically verifying the integrity of resources, enforcing content security policies, and continuously monitoring ownership changes within open-source projects.
Downloads
Sansec Forensics Team, “Polyfill supply chain attack hits 100K+ sites,” Sansec, technical analysis and timeline of the compromise affecting the polyfill.io domain and the injection of malicious code via CDN scripts, 2024.
A. Sharma, “Polyfill.io supply chain attack hits 100,000 websites - all you need to know,” Sonatype, blog post summarizing impact and initial recommendations for organizations, 2024.
J. Graham-Cumming and Cloudflare Team, “Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet,” The Cloudflare Blog, discusses mirroring/URL rewrite and practical mitigations, 2024.
Akamai Security Blog, “Examining the Polyfill attack from Akamai's point of view,” Akamai, technical analysis and CDN/security provider perspective, 2024.
Snyk Research, “Polyfill supply chain attack - analysis & mitigation guidance,” Snyk, contextualizes the incident in the JavaScript ecosystem and proposes fixes and scanning approaches, 2024.
S. Sarva, “Polyfill.io supply chain attack: what you need to know,” Qualys, technical note with detection and scanning recommendations for organizations, 2024.
Censys Threat Research, “Polyfill.io supply chain attack - digging back the web of compromised domains,” Censys, investigation mapping domains and hosts involved, 2024.
FortiGuard Labs, “Polyfill.io Supply Chain Attack - Threat Signal Report,” Fortinet, summary of indicators of compromise (IoCs) and recommendations, 2024.
The Hacker News, “Polyfill.io attack impacts 380,000+ hosts,” The Hacker News, journalistic coverage of scope and follow-ups, 2024.
NVD, “CVE entries related to Polyfill.io usage (e.g. CVE-2024-38526),” NIST National Vulnerability Database, technical CVE details and references to affected packages, 2024.
Cloudflare, “Automated rewrites & mirrors; guidance for customers to remove polyfill.io,” The Cloudflare Blog, describes rapid large‑scale mitigation steps, 2024.
FOSSA, “Polyfill supply chain attack: details and fixes,” FOSSA Blog, explains attack mechanics and remediation steps for development teams, 2024.
Checkmarx, Invicti, Arctic Wolf, Kaspersky, “Polyfill.io supply chain attack - vendor advisories and practical recommendations,” multiple vendor security advisories, 2024.
OWASP, “Software Supply Chain Security Cheat Sheet,” OWASP Cheat Sheet Series, practical recommendations for assessing and mitigating software supply chain risks (SCA, SRI, self‑hosting, SBOM, etc.), 2023.
NIST, “Software Supply Chain Security Guidance (EO 14028),” NIST guidance documents on policies and standards for software supply chain security, 2021-2024.
“On the prevalence of software supply chain attacks,” and related academic studies on supply chain attack taxonomy and investigation frameworks, 2020-2024.
