sourcedefense.com
Open in
urlscan Pro
35.185.203.155
Public Scan
Submitted URL: https://ckgv304.na1.hubspotlinks.com/Ctc/RH+113/cKGv304/VWWFdH33y6ZzW1xfK669dHMYCW46ZLVZ5gRt41N44_Dbq5nXHsW7lCGcx6lZ3kVW8NHYgS5VhkZCW...
Effective URL: https://sourcedefense.com/resources/blog/polyfill-additional-analysis-and-discovery-signs-of-pii-and-credential-harvesting...
Submission: On June 28 via manual from US — Scanned from DE
Effective URL: https://sourcedefense.com/resources/blog/polyfill-additional-analysis-and-discovery-signs-of-pii-and-credential-harvesting...
Submission: On June 28 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOMPOST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/6087099/19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a
<form id="hsForm_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/6087099/19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a"
class="hs-form-private hsForm_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a hs-form-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a hs-form-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a_1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b hs-form stacked"
target="target_iframe_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" data-instance-id="1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b" data-form-id="19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" data-portal-id="6087099"
data-test-id="hsForm_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" data-hs-cf-bound="true">
<fieldset class="form-columns-2">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="" placeholder="Enter your First name"
for="firstname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a"><span>First name</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" name="firstname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="" placeholder="Enter your Last name" for="lastname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a"><span>Last
name</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" name="lastname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="" placeholder="Enter your Business Email" for="email-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a"><span>Business
Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="hs_daily_blog_updates hs-daily_blog_updates hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list">
<li class="hs-form-booleancheckbox"><label for="daily_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-form-booleancheckbox-display"><input id="daily_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-input"
type="checkbox" name="daily_blog_updates" value="true"><span>Daily Blog Updates</span></label></li>
</ul>
</div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="hs_weekly_blog_updates hs-weekly_blog_updates hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list">
<li class="hs-form-booleancheckbox"><label for="weekly_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-form-booleancheckbox-display"><input id="weekly_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-input"
type="checkbox" name="weekly_blog_updates" value="true"><span>Weekly Blog Updates</span></label></li>
</ul>
</div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="hs_monthly_blog_updates hs-monthly_blog_updates hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list">
<li class="hs-form-booleancheckbox"><label for="monthly_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-form-booleancheckbox-display"><input id="monthly_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-input"
type="checkbox" name="monthly_blog_updates" value="true"><span>Monthly Blog Updates</span></label></li>
</ul>
</div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="hs_i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_ hs-i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_ hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list">
<li class="hs-form-booleancheckbox"><label for="i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-form-booleancheckbox-display"><input
id="i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-input" type="checkbox" name="i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_"
value="true"><span>I agree to allow Source Defense to store and process my personal data.</span></label></li>
</ul>
</div>
</div>
</fieldset>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" sd_sf="ovmm" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1719582481250","formDefinitionUpdatedAt":"1668094163770","lang":"en","embedType":"REGULAR","renderRawHtml":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","pageTitle":"Polyfill - Additional Analysis and Discovery: Signs of PII and Credential Harvesting, Broad Exposure through Digital Supply Chain - Source Defense","pageUrl":"https://sourcedefense.com/resources/blog/polyfill-additional-analysis-and-discovery-signs-of-pii-and-credential-harvesting-broad-exposure-through-digital-supply-chain/?utm_campaign=Webinars&utm_medium=email&_hsenc=p2ANqtz-9dZGXPxdiYgakhOy4RRU5opXPTmpIYMZc0Xe3wnTkP9b2iYXJmNsvSx3k58jw0_hwRiI2u1WofMYErjpoHNYXd4kReEA&_hsmi=313511486&utm_content=313511486&utm_source=hs_email","urlParams":{"utm_campaign":"Webinars","utm_medium":"email","_hsenc":"p2ANqtz-9dZGXPxdiYgakhOy4RRU5opXPTmpIYMZc0Xe3wnTkP9b2iYXJmNsvSx3k58jw0_hwRiI2u1WofMYErjpoHNYXd4kReEA","_hsmi":"313511486","utm_content":"313511486","utm_source":"hs_email"},"isHubSpotCmsGeneratedPage":false,"hutk":"d6e937d36dda6c56d285d7407e96e4ff","__hsfp":3598200494,"__hssc":"106597084.1.1719582482449","__hstc":"106597084.d6e937d36dda6c56d285d7407e96e4ff.1719582482449.1719582482449.1719582482449.1","formTarget":"#hbspt-form-1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b","rumScriptExecuteTime":1976.8999996185303,"rumTotalRequestTime":2482,"rumTotalRenderTime":2649.5,"rumServiceResponseTime":505.1000003814697,"rumFormRenderTime":167.5,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1719582482459,"originalEmbedContext":{"portalId":"6087099","formId":"19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a","region":"na1","target":"#hbspt-form-1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true,"version":"V2_PRERELEASE"},"correlationId":"1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b","renderedFieldsIds":["firstname","lastname","email","daily_blog_updates","weekly_blog_updates","monthly_blog_updates","i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5387","sourceName":"forms-embed","sourceVersion":"1.5387","sourceVersionMajor":"1","sourceVersionMinor":"5387","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1719582481561,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Polyfill - Additional Analysis and Discovery: Signs of PII and Credential Harvesting, Broad Exposure through Digital Supply Chain - Source Defense\",\"pageUrl\":\"https://sourcedefense.com/resources/blog/polyfill-additional-analysis-and-discovery-signs-of-pii-and-credential-harvesting-broad-exposure-through-digital-supply-chain/?utm_campaign=Webinars&utm_medium=email&_hsenc=p2ANqtz-9dZGXPxdiYgakhOy4RRU5opXPTmpIYMZc0Xe3wnTkP9b2iYXJmNsvSx3k58jw0_hwRiI2u1WofMYErjpoHNYXd4kReEA&_hsmi=313511486&utm_content=313511486&utm_source=hs_email\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36\",\"urlParams\":{\"utm_campaign\":\"Webinars\",\"utm_medium\":\"email\",\"_hsenc\":\"p2ANqtz-9dZGXPxdiYgakhOy4RRU5opXPTmpIYMZc0Xe3wnTkP9b2iYXJmNsvSx3k58jw0_hwRiI2u1WofMYErjpoHNYXd4kReEA\",\"_hsmi\":\"313511486\",\"utm_content\":\"313511486\",\"utm_source\":\"hs_email\"},\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1719582481564,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1719582482455,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"d6e937d36dda6c56d285d7407e96e4ff\"}"}]}"
sd_sf="ovmm"><iframe name="target_iframe_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" style="display: none;"></iframe>
</form>
Text Content
Skip to content * Products * Platform * Detect * Protect * Website Threat Report * FREE PCI 4.0 Compliance Solution * Resources * Blog * White Papers * Webinars * Video * FAQ * Events * Field Events * Company * About Us * Leadership * Board & Investors * Partners * Press & News * Join Our Team * Contact Us * Request a Demo POLYFILL – ADDITIONAL ANALYSIS AND DISCOVERY: SIGNS OF PII AND CREDENTIAL HARVESTING, BROAD EXPOSURE THROUGH DIGITAL SUPPLY CHAIN By Source Defense 6.27.24 – Initial Findings (Additional Research will Include Updated Date Stamp) In the past 48 hours, the cybersecurity community has been reporting on a significant incident involving Polyfill[.]io, a widely used JavaScript CDN service. First reports by Sansec flagged the potential impact to 100k websites around the world. Further reporting from Cloudflare indicates that reach may be ten times greater or more. Initial reporting alerted that the service was found to be redirecting unsuspecting website visitors to undesired, potentially malicious websites. Additional research indicates that the domain was found to be serving malware and the research conducted by Source Defense supports this more alarming reality. While this domain has since been shut down, the owners of the domain have stood up a new domain and are making claims that research and reporting is inaccurate/is defamatory. Be wary! The credible research by Sansec and Cloudflare is supported by our own findings. Our findings show direct evidence of PII and credential harvesting. A number of our clients were found to be running the service and our redaction policies thwarted attempts to steal this data. Our systems show direct evidence of these data theft attempts connected to Polyfill[.}io and there is a strong likelihood that sites without JavaScript management and protection in place have fallen victim to data theft – potentially for a prolonged period of time – at least since February of 2024. We have also seen an alarming scope of reach and broad exposure through the digital supply chain where 3rd, 4th and nth parties connected to many of the world’s largest websites have been calling upon the malicious domain. In one instance we investigated yesterday, a world renowned, widely used payment service was found to be calling on the malicious domain. This supports the theory that the impact is likely many times greater than already reported. Action should be taken immediately and investigations should be undertaken to understand the potential exposure / scope of theft of sensitive data. Understanding the Polyfill Project and the Polyfill[.]io Incident As with many open source projects, Polyfill was designed to provide the community with a tool to better the internet experience. As a legitimate service, it allowed developers to use the latest web features while ensuring compatibility with older browsers. As many older browser versions do not support modern web features, this JavaScript helped by detecting these browsers and automatically adding necessary code to enable advanced features. Simple and pretty much standard practice – a third party is used by website owners and/or their partners (i.e. – a third party calls on a 4th party) to provide much needed features to enrich the web experience. Polyfill[.]io is not connected to the legitimate Polyfill project. A reality that was flagged for the community back in February of this year…but, as with many things in Security – the message didn’t spread as far as it needed. The Incident On February 25th of this year, Andrew Betts – the legitimate author behind the project flagged that the domain in question was both illegitimate and potentially harmful. Direct words from Andrew on his X account below: (https://x.com/triblondon/status/1761852117579427975) Some four months later, we are met with the news that the domain is conducting malicious redirects, dropping malware – and as per our findings, stealing data. Our Observations at Source Defense The Polyfill.io incident is a stark reminder of the vulnerabilities inherent in our digital supply chains. At Source Defense, we focus on securing first party and external party (third, fourth, nth party) scripts through real-time monitoring and protection for exactly this reason. Code that is sourced from opensource repositories are a target of adversaries of all types. 3rd, 4th and nth party scripts – many of which are dynamic – cannot be vetted and must have some form of control mechanism in place. Our proactive measures related to JavaScript management and security ensured that no data was harvested from our client environments – but we still monitor the behavior of these scripts to report on risky and blocked activity. A quick look into our platform reveals broader malicious activity than what has been reported to this point. We see signs of attempts to harvest multiple forms of PII and credentials data. In this particular client environment, it should be noted that the FIRST indication of attempts at data theft actually align to the same date that Andrew Betts made his announcement on X. Broad Reach / Exposure Through the Digital Supply Chain One of the most under recognized issues with the use of JavaScript / with the use of 3rd party partners is the fact that those partners often compile code from other resources or call in additional parties to support their services. In the case of this incident, we see direct evidence of website owners being impacted by their supply chain. As mentioned previously, one incident we investigated yesterday found that a widely used payment service was calling in the Polyfill[.]io domain. The request map shown below demonstrates that relationship / exposure. Website owner doesn’t directly call on the malicious domain, 3rd party partner does… Moving Forward This incident serves as a powerful reminder that even widely trusted JavaScript libraries can be compromised. Initial validation of third-party scripts is not sufficient; continuous real-time monitoring is crucial. Additionally, vulnerabilities can often stem from fourth-party sources that are beyond the direct control of website owners. Organizations need a robust solution that not only validates these scripts at the start but also actively monitors and prevents vulnerabilities from being exploited over time. We would encourage all organizations to implement real-time protection systems – whether or not you use Source Defense, this situation highlights the wide scoping vulnerability/gap in web security that we need to address as an industry. Regular reviews and relying on reputable providers are important, but they are not enough. Real-time monitoring and immediate threat prevention are essential to safeguard against dynamically changing scripts and emerging vulnerabilities. Source Defense will continue monitoring this situation and provide any updates under a new date stamp to this blog. RELATED POSTS: Navigating the New PCI DSS 4.0 Requirements: Key Takeaways from Industry Experts [Recording] Community Enablement for 6.4.3 and 11.6.1 [Recording] PCI Dream Team Roundtable PCI DSS 4.0 MAKES CLIENT-SIDE SECURITY A PRIORITY. Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams. Download the Guide SOLUTIONS * Platform * Detect * Protect * Website Threat Report INDUSTRIES * Financial Institutions * Online Retailers * Healthcare * Travel, Ticketing & Aviation * Media & Content Publishers RESOURCES * Blog * White Papers * Webinars * Video * Research Lab * FAQ COMPANY * About Us * Leadership * Board & Investors * Partners * Press & News * Join Our Team * Contact Us KEEP YOUR WEBSITE SAFE Get the latest news and updates to bulletproof your website First name Last name Business Email* * Daily Blog Updates * Weekly Blog Updates * Monthly Blog Updates * I agree to allow Source Defense to store and process my personal data. Request a Demo * linkedin * Facebook * Twitter Privacy Policy | Terms of Service | ©2024 Source Defense. All Rights Reserved. Scroll We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off in settings. Accept Reject Close GDPR Cookie Settings * Privacy Overview * Strictly Necessary Cookies Powered by GDPR Cookie Compliance Privacy Overview This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful. Strictly Necessary Cookies Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings. Enable or Disable Cookies If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again. Enable All Save Settings