Polyfill.io Under New Ownership Of A Bizarre Chinese Company

In a surprise move, Polyfill.io, a popular web compatibility tool, has been acquired by Funnull, a Chinese CDN company. This raises concerns about web security and trustworthiness, so let’s dive into the details. 

What is Polyfill.io? 

Polyfill.io is an open-source JavaScript library that delivers polyfills. These are pieces of code that add new features to older browsers that don’t natively support them. Polyfill.io automatically delivers the right polyfill to each browser version, and its acquisition by Chinese CDN company, Funnull has sparked security concerns within the Linux developer community. There has been much speculation about whether Funnull can be trusted, and whether using this popular polyfill service may now pose potential web security risks. Such worries may seem alarmist, but there is legitimate cause for concern, given that recent serious security incidents like the Linux XZ backdoor show what can happen when similar systems suffer exploit attempts.

• Polyfill.io is a widely-used open-source linked library that’s used by 10,331,390 websites.
• It simplifies the developer’s job, with a set-it-and-forget-it approach that saves them time.
• It automatically adds modern JavaScript support for older browsers.

What are the risks, and why should you care?

1. In a typical use case, the polyfill is loaded from a remote location, Polyfill.io own server, so the risk here is that someone can change the code in runtime without the user knowing. 

2. As with the XZ backdoor case (see below), you won’t know if a polyfill may have already been tampered with, so even if it’s on your own server, it’s best to confirm that it is not doing something it shouldn’t.

The XZ Backdoor: The Rise of Jia Tan 

The worries around Funnull exist because the Linux XZ backdoor case showed how placing blind trust in a third-party provider can go wrong. It began when an unknown party using the alias ‘Jia Tan’, subtly infiltrated the XZ Utils project, a lossless data compression utility for Unix-like operating systems (and from version 5.0, for Microsoft Windows, too) that’s almost ubiquitous in the Linux world. 

Over three years, Tan carefully cultivated trust within the developer community, eventually ascending to a co-maintainer position alongside the project’s founder, Lasse Collin. Tan’s covert actions culminated in the insertion of a sophisticated backdoor into the utility, a move that could have compromised three billion machines running Linux-based operating systems. 

Tan’s exceptional patience is a real eye-opener. He or she was able to build a trustworthy persona simply by putting in the hours: contributing code and taking part in discussions over weeks, months, and years. This paved the way for a nightmare software supply chain attack that could’ve been massive, and it underscores the inherent vulnerabilities that come with using open-source collaboration platforms like GitHub. As the owner, when Tan finally uploaded and committed the backdoor code, they were the only one to receive a notification about it, while everyone else was left in the dark.

The Fix

Once the backdoor was discovered, Red Hat issued an urgent security alert about XZ Utils. It revealed that versions 5.6.0 and 5.6.1 had been compromised with malicious code exploit CVE-2024-3094, which enables unauthorized remote access. This exploit, which has a maximum CVSS severity score of 10.0, involves complex obfuscations within the build process, resulting in a modified library that can intercept and modify data interactions. This backdoor specifically targets the sshd daemon process, which could potentially allow threat actors to bypass authentication and gain remote access.

Who Are You, Jin Tan?

Initial scrutiny of Jia Tan’s identity and origins points toward East Asia, perhaps China or North Korea due to Tan’s commits (save points logged in GitHub), aligning with the UTC+8 time zone. However, further analysis by researchers Rhea Karty and Simon Henniger suggests that Jia Tan may have manipulated their computer’s time zone settings. They noticed that Tan’s activity during Chinese holidays and working hours was more in keeping with Eastern European or Middle Eastern time zones, which raised doubts about an East Asian nationality. 

Dave Aitel, founder of Immunity, suggests that despite candidates such as Iran or Israel being a possibility, the most likely culprit is Russia’s APT29 hacking group. Its meticulous approach and high level of technical proficiency set it apart from other crews like APT41 or Lazarus, and if we look at the XZ Utils backdoor we see the same level of sophistication that distinguishes APT29’s past operations, such as the Solar Winds compromise.

Coordinated efforts to push for the inclusion of the compromised software in popular Linux distributions like Debian and Fedora suggest an orchestrated campaign of manipulation that extends beyond the XZ project compromise. 

The backdoor was discovered in the nick of time by Microsoft software developer Andres Freund, who had noticed performance issues with SSH logins on a Debian system and thankfully, decided to investigate, averting what could have been a major catastrophe. Cybersecurity agencies responded quickly to his discovery and Tan’s GitHub account was suspended. 

Back to The Polyfill.io Case

Although nothing has happened in the Polyfill case, certain similarities between it and the XZ backdoor incident look concerning: in both scenarios, we have widely-used software components that play a critical role within their respective digital ecosystems left vulnerable to unauthorized manipulation by third parties. In both instances, these components are loaded remotely, so adversaries could potentially modify their code without detection.

Given the striking similarities between the two—namely, the possibility of critical software components being infiltrated by stealthy means—we cannot dismiss the possibility of a similar outcome. While the specifics may differ, the underlying risk posed by remote code execution vulnerabilities is the same in both cases.

The Polyfill case underscores the urgent need for heightened vigilance and security measures within the software development community, especially in the supply chain area and in open sources for web components. Without robust safeguards, vulnerabilities in widely used services like Polyfill.io could easily set the stage for another XZ backdoor incident, and next time it might even be successful. 

Supply Chain Risks in Open Source Libraries 

Polyfill.io’s acquisition by Funnell is a reminder that using open-source libraries in the supply chain is an exercise in trust. Relying on third parties means accepting their inherent vulnerabilities, and being aware that malicious actors can exploit them. 

The acquisition of Polyfill.io by a new owner raises concerns about the potential impact on security and trust. Although the likes of Synk can help with the initial vetting of third-party dependencies, ongoing monitoring is essential because they can and do change.  

It serves as a stark reminder for developers and organizations to implement robust supply chain management practices, including thorough code reviews, continuous monitoring, and proactive risk mitigation strategies, to safeguard against potential threats and vulnerabilities in open-source libraries.

What You Should Do About It

First, you need to understand where you’re using Polyfill.io, so map out all connections to your domains and their respective locations (and tools like Reflectiz are invaluable for this task.) Determine if the script is local or remote. Local installations are generally more secure since they offer less opportunity for code manipulation.

However, don’t stop there. Polyfill is just one example of a potential vulnerability in the web supply chain. Verify all other scripts hosted on CDNs, public servers, or third-party sources to ensure you’re not inadvertently exposing your system to external risks.

Third-Party Domains and Servers: You Are at Their Mercy

Third-party servers like Polyfill.io have become indispensable to developers because they boost productivity and improve website performance. However, reliance on these external services means accepting their inherent risks, as we saw with the XZ backdoor.

When you integrate third-party domains and servers into your web infrastructure, you are effectively outsourcing some aspects of its control and security to someone else. Without proper oversight, these external servers can introduce vulnerabilities that could lead to code manipulation, leaving your web environment undefended.

This risk is not limited to third-party servers either. Public Content Delivery Networks (CDNs) for JS frameworks carry the same inherent risk. For example, consider open-source libraries stored on public CDNs like jQuery or Bootstrap. While these libraries can enhance the user experience while at the same time streamlining the development process, it’s important to recognize that they come with an inherent security trade-off. This is why it’s important to vet CDN providers, employ a robust security monitoring solution that can analyze what third parties are up to, and implement secure coding practices.

How Reflectiz Can Help

Reflectiz continuously monitors your web ecosystem, so that when potential vulnerabilities and security threats—including those arising from third-party dependencies like Polyfill.io and those from Linux vulnerabilities like the xz backdoor—the system detects and analyzes them, prioritizes the most urgent, and empowers your security team to take swift, targeted action to mitigate any threats. 

The fact that threat actors are willing to wait for years before launching an attack is troubling, but Reflectiz continuous web threat management is on your side, always alert, and ready for the moment when they make their move. Sign up today for the ultimate in third-party supply chain protection today.