The short version: You may have heard about the polyfill.io vulnerability in the news. Is your website at risk? If you’re subscribed to Command Media’s WordPress Site Assurance policy, the answer is NO!
But if you’re not subscribed to Site Assurance: Read on…!
The recent supply chain attack on the Polyfill.io JavaScript library has been found to affect over 380,000 hosts, as per findings by Censys. The compromised scripts, linking to the malicious domains “https://cdn.polyfill[.]io” and “https://cdn.polyfill[.]com,” have been widely embedded in various websites. Prominent companies such as WarnerBros, Hulu, Mercedes-Benz, and Pearson have also been identified as victims of this attack. The attack was first detected in late June 2024 when Sansec revealed that the code on the Polyfill domain had been altered to redirect users to adult and gambling websites based on specific conditions.
The attack traces back to February 2024, when the Polyfill domain and its associated GitHub repository were sold to the Chinese company Funnull. The malicious code introduced by Funnull triggered redirections at certain times and targeted specific visitors. In response, domain registrar Namecheap has suspended the domain, and content delivery networks like Cloudflare are replacing Polyfill links with safe alternatives. Additionally, Google has taken measures to block ads for sites using the compromised domain.
Several major WordPress plugins have been affected by the recent polyfill.io supply chain attack. Notably, the “WP User Frontend” plugin was found to be using the compromised library, prompting users to update or remove the polyfill to mitigate the risk. This plugin provides functionalities for user registration, profile management, and content submission from the frontend​ (WordPress.org)​.
The most shocking vulernability we here at Command Media found was that several of the node.js dependencies involved in custom block development were impacted! So anyone who has done custom block development is potentially at risk.
Cutting to the chase: for you as a business owner, there is a real possibility that your WordPress site may have been impacted. The only way to know for sure is to have it audited by a developer.
If you’re concerned that you may have been impacted by polyfill.io – contact us now!