Deliberative Loading of a Global Polyfill: Compromise Simulation and OSINT Analysis
Downloads
Modern web projects frequently rely on third-party packages and services (CDN, polyfills providers) to ensure compatibility. A polyfill that modifies global objects (e.g. Array.prototype) provides convenient compatibility, but introduces a single point of failure: compromising that provider can lead to the distribution of malicious code to all pages that include it. The purpose of the study is to demonstrate, in a controlled manner, the effects of installing a global polyfill and to show how exposures can be identified and quantified through ethical OSINT techniques. This paper presents a reproducible methodology for simulating the scenario where a polyfill It installs its functionality globally (Array.prototype.findLast () as an example) and thereby expands the attack surface of web applications. Using a controlled environment and ethical OSINT techniques to map adoption and exposure in the public space, the paper assesses operational risks and proposes technical mitigation measures. The methodological emphasis is on reproducibility, non- intrusiveness and validation based on public evidence.
Downloads
Sansec Forensics Team, “Polyfill supply chain attack hits 100K+ sites,” Sansec Blog, 2024.
A. Sharma, “Polyfill.io supply chain attack hits 100,000 websites - all you need to know,” Sonatype, 2024.
J. Graham-Cumming et al., “Automatically replacing polyfill.io links with Cloudflare's mirror for a safer Internet,” Cloudflare Blog, 2024.
Akamai Security Blog, “Examining the Polyfill attack from Akamai's point of view,” Akamai, 2024.
S. Sarva, “Polyfill.io supply chain attack: what you need to know,” Qualys, 2024.
Censys Threat Research, “Polyfill.io supply chain attack - digging into the web of compromised domains,” Censys Blog, 2024.
NIST, “Software Supply Chain Security Guidance (EO 14028),” NIST, 2021.
OWASP, “Software Supply Chain Security Cheat Sheet,” OWASP Cheat Sheet Series.
FOSSA Blog, “Polyfill supply chain attack: details and fixes,” FOSSA, 2024.
T. Zimmermann et al., “On the prevalence of software supply chain attacks: empirical study,” 2022.
M. Bazzell, “Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information”, 9th ed., 2021.
Europol, “Guidelines for OSINT investigations,” Europol Publications, 2020.
T. Rid, “Cyber War Will Not Take Place”, Oxford Univ. Press, 2013.
Mozilla Developer Network, “Using polyfills in JavaScript.”
npm Registry, “Postmortem incident event-stream,” npm Blog, 2018.
Snyk Research, “Polyfill supply chain attack - analysis & mitigation guidance,” Snyk, 2024.
