Polyfills - a filler or a gaping hole? (Part-2)

purnez

Purneswar Prasad

Posted on August 29, 2024

Polyfills - a filler or a gaping hole? (Part-2)

We'd discussed some very interesting topics like transpilers and polyfills in the last blog and came across a popular transpiler, Babel and how its polyfill package was deprecated and the use of required alternatives.

Moving on from here, our main focus will be on polyfills and a very special and popular (or now, unpopular) service, Polyfill.io
This name has been around quite a lot now, and if you've not been living under a rock, you'd be knowing of the kind of security issues that it brought with itself, almost affecting 300k+ sites (4% of the web) across the internet.

Let me walk you again through some history, which might give some perspective on how things transpired:
There are a lot of open-source libraries out there providing polyfill supports, among which polyfill.js is a popular one. It used the service Polyfill.io, developed by the Financial Times, to serve polyfills based on the user's browser.

  • Things started to get fishy way back in June 2023 - when Google gave a security warning to its advertisers regarding a possibility of users getting redirected to malicious websites if they click on their ads, which might be using these libraries Google's letter to advertisers
  • Cut to February 2024, we hear from the creator of the polyfill service project, who raised concerns about the project and its new ownership. Now later that time, we come to know that Funnull, a CDN service provider in China has acquired the Polyfill.io domain and its GitHub account. Cloudflare, a CDN and cybersecurity service provider, also came up with its own alternative solution to what might be a future problem, due to concerns in the community relating to Polyfill.io.
  • Come June 2024, we hear everywhere across the internet to check if your website uses cdn.polyfill.io and to get it removed ASAP!

What happened suddenly? Is it time to say goodbye to old browsers and forget about polyfills? Are we really witnessing another worldwide cybercrime?

Let's dive into some sweet details.

You read earlier that Funnull, a CDN service provider acquired the polyfill domain. What does a CDN do?
CDN stands for Content Delivery Network. Now imagine, if you'd a server very far somewhere and you need to provide service to users all around the world. Different users may get different experience while loading your site, the fastest being the happiest and the slowest might not even wait for it to load. CDN comes in handy here, where it keeps a copy of the main server's content, spread across the globe, so it can be retrieved anytime.

Funnull would've taken over the polyfill.io domain with the promise of a better experience to its users with its widespread network of CDNs. But something happened during the handover of the GitHub account.
Polyfill.io, being one of the top domains for polyfill usage, used Cloudflare's services, like CDN, scalability, security, DNS management etc. You must be knowing, to use any service on your platform you need an API key. This key, unique to every app, tells the service that it needs to use its data for its purpose.
And logically, this key needs to be protected from the public to prevent any kind of unauthorized access or abuse of the service.

But what if your website is taken over, like in the case of Polyfill.io? Do the new owners get control of the keys?

Well, there are certain practices like :
1) Rotating API keys - generate new API keys in regular intervals
2) Limit Key access - ensuring you restrict access on what services can be granted access
3) Using secure channels - any kind of transfer should happen over a secure, encrypted channel

Here, the owners did a blunder during the transition, by accidentally uploading an .env file(used to store secrets) to the public repository
Secrets leaked

Now, this leak gave access to the Cloudflare account and in turn, they managed to change its DNS(Domain Name System) records. Think of DNS records as an internet's address book of different websites/domains, which contain important information about the websites.

One such record is called CNAME. For cdn.polyfill.io, the CNAME record was changed to a malicious domain by the attackers to cdn.polyfill.io.bsclink.cn, a China-based CDN domain hosted by Baishan Cloud. Thus, going on to inject malicious JS code through it, details of which are very clearly pointed out here by Sansec Research, one of the very first ones to write publicly about the incident.

Along with polyfill.io, several other domains associated with the same Cloudflare account were also flagged under malicious ownership like :
bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com. And the same action is recommended: stop using them!

Later, the domain was taken down and easy alternative to mirror the polyfill functionality was provided by Cloudflare.

Phew, that was some information!

Who is responsible for all this? The owner who sold it? The projects who used it? The warnings that were ignored?

Well, when matters are of cybersecurity, there's never a single entity involved.

1) Consider this tweet, which shows proofs of the sale. If you'd seen the tweet of the founder earlier on top, he denies any influence over the sale.
Well, who do we blame here? Maintaining an open source project requires a lot of efforts from the community and the maintainers. There are several layers to the governance. And projects which are so widely used, like polyfill.io, need to be updated at all times. This requires time out of your daily schedule and contributing for a better developer experience around the world. And only a few do really know the ins and outs of a project.
Funding is a big part of an open-source project, without which it's very difficult to carry on day-to-day tasks for maintainers.
Here's a heart-wrenching example of the core-js library we'd talked about in the 1st part. I recommend everyone to go through this once and understand the efforts and create maintainer relationships.

2) As mentioned, projects that got affected used the cdn.polyfill.io in the src of a script tag. Using an integrity attribute in a script tag ensures that the content of the external script hasn't been tampered with.

3) Importance of educating users and application owners about the risks and best practices of security, authentication, access control and regular auditing.

Conclusion
Open-source software is built on collaboration and trust. By respecting the sanctity of its ecosystem, we ensure that it remains a vibrant and secure environment for developers and users alike.

Links to some insightful articles:

💖 💪 🙅 🚩
purnez
Purneswar Prasad

Posted on August 29, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related