Cybersecurity company Sansec has warned that over 100,000 websites have been impacted by malware injections through the popular Polyfill JS project. The Polyfill.io domain and service, which was purchased earlier this year by a Chinese company named Funnull, has reportedly been modified to introduce malicious code.
A polyfill is a piece of code that enables the usage of new programming language or web platform features in outdated browsers or environments.
The polyfill code is dynamically generated based on the HTTP headers, creating multiple attack vectors for cybercriminals.
“In February this year, a Chinese company bought the domain and the GitHub account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io,” Sansec explained.
The company said it has decoded a malware variant, which redirects mobile users to a sports betting site using a fake Google Analytics domain. The malware is designed with specific protections against reverse engineering and activates only on specific mobile devices at certain hours.
Additionally, it does not activate when an admin user is detected and delays execution when a web analytics service is found, likely to avoid detection.
“The original polyfill author recommends not using Polyfill at all, as it is no longer needed by modern browsers anyway,” Sansec noted.