Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites
27-June-24
A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a Web supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. Specifically, researchers discovered malicious, obfuscated code that “dynamically generates payloads based on HTTP headers, In addition to Social Warfare, versions 4.4.6.4 and 4.4.7.1, the affected plug-ins include: Blaze Widget v2.2.5 to 2.5.2; Wrapper Link Element v1.0.2 to 1.0.3; Contact Form 7 Multi-Step Addon v1.0.4 to 1.0.5; and Simply Show Hooks v1.2.1. Of the plug-ins, Social Warfare (a social-media-themed offering) has the most installations, with more than 30,000; the rest reached no more than hundreds at the most.
