Supply Chain Attack Against Sites Using Polyfill[.]io CDN

The Polyfill[.]io CDN associated with the open-source Polyfill.js library has been compromised and the code served by the CDN has been modified to perform malicious actions.  Essent does not use the library or the CDN but your websites may be compromised if custom functionality referenced the Polyfill[.] io CDN.

The CDN is identified as Polyfill[.]io (without the square brackets). Note: All references to the domain of the CDN in this article have been intentionally broken by wrapping the dot in square brackets [.] to prevent the link from working.

Actions to Take

Bring this Support notice to the attention of your Information Technology department and any third-party vendors of web-based systems.

Issue

The CDN for the open source browser compatibility library Polyfill located at Polyfill[.]io has been acquired from its original owner and has been modified to include unwanted behavior. 

Impact

Visitors to sites that incorporate the library from Polyfill[.]io were being redirected to third party sites, including sites with gambling and adult content. There are also reports of the modified library harvesting personally identifiable information, payment details, and credentials.

Essent Service Impact

Essent does not use the Polyfill library in any Essent services and products, including but not limited to Essent.com, EssentOne, and Essent SiteBuilder Pro Designer.

Corrective Action

Check all websites, including customized Essent SiteBuilder Pro sites for references to the Polyfill[.]io CDN that your web administrators may have added, then remove or replace them with references to a safe mirror of the Polyfill library.

Cloudflare has provided a safe mirror of the Polyfill CDN that may be used in place of Polyfill[.]io if it is still needed.  See https://cdnjs.cloudflare.com/polyfill/ for more information on using the Cloudflare replacement.


If the reference is in your custom code:

For most sites, the Polyfill library is no longer required and can be removed as all modern browsers natively provide the interfaces that previously required Polyfill for cross compatibility between browsers.

If the site contains functionality that is dependent on the Polyfill library, replace the reference with one to a safe mirror, such as the Cloudflare one described above.


If the reference is in code loaded from a third-party vendor:

Notify the third-party vendor serving the reference to Polyfill[.]io immediately and remove their functionality from the site until the issue has been resolved by the vendor.


More Information:

Share This:
FacebookRedditSlashdotDZoneNetvouzTwitThisLinkedInDiigo