The Web Ecosystem Between Vulnerability and Resilience: The Case of Polyfill.io
The Web Ecosystem Between Vulnerability and Resilience: The Case of Polyfill.io

Author(s): Adelaida STĂNCIULESCU
Subject(s): Politics / Political Sciences, Politics, Economy, Security and defense, ICT Information and Communications Technologies
Published by: Asociatia Romana pentru Asigurarea Securitatii Informatiei
Keywords: CDN compromises; external dependencies; open-source security; Polyfill.io; supply chain attacks
Summary/Abstract: This report addresses the Polyfill.io security incident, analyzed as a case study to demonstrate the impact that poor management of external dependencies can have on the resilience of the modern web ecosystem. The Polyfill.io case represents one of the most extensive external dependency compromises in recent history, affecting over 100,000 websites through sophisticated mechanisms for injecting malicious code via compromised CDN infrastructure. The analysis reveals how a supposedly harmless JavaScript library, used for cross-browser compatibility, was hijacked and exploited as a global attack vector. The study investigates the mechanisms by which the polyfill.io domain was taken over and used for the conditional distribution of malicious code. Through comparative analysis with other major supply incidents chain (SolarWinds, Log4Shell, XZ Utils), the paper identifies the unique features of the Polyfill.io case - including the passive nature of the compromise, the almost instantaneous speed of propagation, and the unprecedented diversity of victims. The results of the analysis reveal the importance of implementing strengthened security measures for managing external dependencies, such as systematically verifying the integrity of resources, enforcing content security policies, and continuously monitoring ownership changes within open-source projects.

• Details
• Contents