sourcedefense.com Open in urlscan Pro
35.185.203.155  Public Scan

Submitted URL: https://ckgv304.na1.hubspotlinks.com/Ctc/RH+113/cKGv304/VWWFdH33y6ZzW1xfK669dHMYCW46ZLVZ5gRt41N44_Dbq5nXHsW7lCGcx6lZ3kVW8NHYgS5VhkZCW...
Effective URL: https://sourcedefense.com/resources/blog/polyfill-additional-analysis-and-discovery-signs-of-pii-and-credential-harvesting...
Submission: On June 28 via manual from US — Scanned from DE

Form analysis 1 forms found in the DOM

POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/6087099/19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a

<form id="hsForm_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
  action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/6087099/19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a"
  class="hs-form-private hsForm_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a hs-form-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a hs-form-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a_1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b hs-form stacked"
  target="target_iframe_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" data-instance-id="1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b" data-form-id="19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" data-portal-id="6087099"
  data-test-id="hsForm_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" data-hs-cf-bound="true">
  <fieldset class="form-columns-2">
    <div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="" placeholder="Enter your First name"
        for="firstname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a"><span>First name</span></label>
      <legend class="hs-field-desc" style="display: none;"></legend>
      <div class="input"><input id="firstname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" name="firstname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
    </div>
    <div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="" placeholder="Enter your Last name" for="lastname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a"><span>Last
          name</span></label>
      <legend class="hs-field-desc" style="display: none;"></legend>
      <div class="input"><input id="lastname-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" name="lastname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
    </div>
  </fieldset>
  <fieldset class="form-columns-1">
    <div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="" placeholder="Enter your Business Email" for="email-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a"><span>Business
          Email</span><span class="hs-form-required">*</span></label>
      <legend class="hs-field-desc" style="display: none;"></legend>
      <div class="input"><input id="email-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
    </div>
  </fieldset>
  <fieldset class="form-columns-1">
    <div class="hs_daily_blog_updates hs-daily_blog_updates hs-fieldtype-booleancheckbox field hs-form-field">
      <legend class="hs-field-desc" style="display: none;"></legend>
      <div class="input">
        <ul class="inputs-list">
          <li class="hs-form-booleancheckbox"><label for="daily_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-form-booleancheckbox-display"><input id="daily_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-input"
                type="checkbox" name="daily_blog_updates" value="true"><span>Daily Blog Updates</span></label></li>
        </ul>
      </div>
    </div>
  </fieldset>
  <fieldset class="form-columns-1">
    <div class="hs_weekly_blog_updates hs-weekly_blog_updates hs-fieldtype-booleancheckbox field hs-form-field">
      <legend class="hs-field-desc" style="display: none;"></legend>
      <div class="input">
        <ul class="inputs-list">
          <li class="hs-form-booleancheckbox"><label for="weekly_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-form-booleancheckbox-display"><input id="weekly_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-input"
                type="checkbox" name="weekly_blog_updates" value="true"><span>Weekly Blog Updates</span></label></li>
        </ul>
      </div>
    </div>
  </fieldset>
  <fieldset class="form-columns-1">
    <div class="hs_monthly_blog_updates hs-monthly_blog_updates hs-fieldtype-booleancheckbox field hs-form-field">
      <legend class="hs-field-desc" style="display: none;"></legend>
      <div class="input">
        <ul class="inputs-list">
          <li class="hs-form-booleancheckbox"><label for="monthly_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-form-booleancheckbox-display"><input id="monthly_blog_updates-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-input"
                type="checkbox" name="monthly_blog_updates" value="true"><span>Monthly Blog Updates</span></label></li>
        </ul>
      </div>
    </div>
  </fieldset>
  <fieldset class="form-columns-1">
    <div class="hs_i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_ hs-i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_ hs-fieldtype-booleancheckbox field hs-form-field">
      <legend class="hs-field-desc" style="display: none;"></legend>
      <div class="input">
        <ul class="inputs-list">
          <li class="hs-form-booleancheckbox"><label for="i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-form-booleancheckbox-display"><input
                id="i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_-19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" class="hs-input" type="checkbox" name="i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_"
                value="true"><span>I agree to allow Source Defense to store and process my personal data.</span></label></li>
        </ul>
      </div>
    </div>
  </fieldset>
  <div class="hs_submit hs-submit">
    <div class="hs-field-desc" style="display: none;"></div>
    <div class="actions"><input type="submit" class="hs-button primary large" sd_sf="ovmm" value="Submit"></div>
  </div><input name="hs_context" type="hidden"
    value="{&quot;embedAtTimestamp&quot;:&quot;1719582481250&quot;,&quot;formDefinitionUpdatedAt&quot;:&quot;1668094163770&quot;,&quot;lang&quot;:&quot;en&quot;,&quot;embedType&quot;:&quot;REGULAR&quot;,&quot;renderRawHtml&quot;:&quot;true&quot;,&quot;userAgent&quot;:&quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36&quot;,&quot;pageTitle&quot;:&quot;Polyfill - Additional Analysis and Discovery: Signs of PII and Credential Harvesting, Broad Exposure through Digital Supply Chain - Source Defense&quot;,&quot;pageUrl&quot;:&quot;https://sourcedefense.com/resources/blog/polyfill-additional-analysis-and-discovery-signs-of-pii-and-credential-harvesting-broad-exposure-through-digital-supply-chain/?utm_campaign=Webinars&amp;utm_medium=email&amp;_hsenc=p2ANqtz-9dZGXPxdiYgakhOy4RRU5opXPTmpIYMZc0Xe3wnTkP9b2iYXJmNsvSx3k58jw0_hwRiI2u1WofMYErjpoHNYXd4kReEA&amp;_hsmi=313511486&amp;utm_content=313511486&amp;utm_source=hs_email&quot;,&quot;urlParams&quot;:{&quot;utm_campaign&quot;:&quot;Webinars&quot;,&quot;utm_medium&quot;:&quot;email&quot;,&quot;_hsenc&quot;:&quot;p2ANqtz-9dZGXPxdiYgakhOy4RRU5opXPTmpIYMZc0Xe3wnTkP9b2iYXJmNsvSx3k58jw0_hwRiI2u1WofMYErjpoHNYXd4kReEA&quot;,&quot;_hsmi&quot;:&quot;313511486&quot;,&quot;utm_content&quot;:&quot;313511486&quot;,&quot;utm_source&quot;:&quot;hs_email&quot;},&quot;isHubSpotCmsGeneratedPage&quot;:false,&quot;hutk&quot;:&quot;d6e937d36dda6c56d285d7407e96e4ff&quot;,&quot;__hsfp&quot;:3598200494,&quot;__hssc&quot;:&quot;106597084.1.1719582482449&quot;,&quot;__hstc&quot;:&quot;106597084.d6e937d36dda6c56d285d7407e96e4ff.1719582482449.1719582482449.1719582482449.1&quot;,&quot;formTarget&quot;:&quot;#hbspt-form-1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b&quot;,&quot;rumScriptExecuteTime&quot;:1976.8999996185303,&quot;rumTotalRequestTime&quot;:2482,&quot;rumTotalRenderTime&quot;:2649.5,&quot;rumServiceResponseTime&quot;:505.1000003814697,&quot;rumFormRenderTime&quot;:167.5,&quot;connectionType&quot;:&quot;4g&quot;,&quot;firstContentfulPaint&quot;:0,&quot;largestContentfulPaint&quot;:0,&quot;locale&quot;:&quot;en&quot;,&quot;timestamp&quot;:1719582482459,&quot;originalEmbedContext&quot;:{&quot;portalId&quot;:&quot;6087099&quot;,&quot;formId&quot;:&quot;19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a&quot;,&quot;region&quot;:&quot;na1&quot;,&quot;target&quot;:&quot;#hbspt-form-1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b&quot;,&quot;isBuilder&quot;:false,&quot;isTestPage&quot;:false,&quot;isPreview&quot;:false,&quot;isMobileResponsive&quot;:true,&quot;version&quot;:&quot;V2_PRERELEASE&quot;},&quot;correlationId&quot;:&quot;1ab999ba-37e1-4002-ab1e-9a8d0ab40e4b&quot;,&quot;renderedFieldsIds&quot;:[&quot;firstname&quot;,&quot;lastname&quot;,&quot;email&quot;,&quot;daily_blog_updates&quot;,&quot;weekly_blog_updates&quot;,&quot;monthly_blog_updates&quot;,&quot;i_agree_to_allow_source_defense_to_store_and_process_my_personal_data_&quot;],&quot;captchaStatus&quot;:&quot;NOT_APPLICABLE&quot;,&quot;emailResubscribeStatus&quot;:&quot;NOT_APPLICABLE&quot;,&quot;isInsideCrossOriginFrame&quot;:false,&quot;source&quot;:&quot;forms-embed-1.5387&quot;,&quot;sourceName&quot;:&quot;forms-embed&quot;,&quot;sourceVersion&quot;:&quot;1.5387&quot;,&quot;sourceVersionMajor&quot;:&quot;1&quot;,&quot;sourceVersionMinor&quot;:&quot;5387&quot;,&quot;allPageIds&quot;:{},&quot;_debug_embedLogLines&quot;:[{&quot;clientTimestamp&quot;:1719582481561,&quot;level&quot;:&quot;INFO&quot;,&quot;message&quot;:&quot;Retrieved pageContext values which may be overriden by the embed context: {\&quot;pageTitle\&quot;:\&quot;Polyfill - Additional Analysis and Discovery: Signs of PII and Credential Harvesting, Broad Exposure through Digital Supply Chain - Source Defense\&quot;,\&quot;pageUrl\&quot;:\&quot;https://sourcedefense.com/resources/blog/polyfill-additional-analysis-and-discovery-signs-of-pii-and-credential-harvesting-broad-exposure-through-digital-supply-chain/?utm_campaign=Webinars&amp;utm_medium=email&amp;_hsenc=p2ANqtz-9dZGXPxdiYgakhOy4RRU5opXPTmpIYMZc0Xe3wnTkP9b2iYXJmNsvSx3k58jw0_hwRiI2u1WofMYErjpoHNYXd4kReEA&amp;_hsmi=313511486&amp;utm_content=313511486&amp;utm_source=hs_email\&quot;,\&quot;userAgent\&quot;:\&quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36\&quot;,\&quot;urlParams\&quot;:{\&quot;utm_campaign\&quot;:\&quot;Webinars\&quot;,\&quot;utm_medium\&quot;:\&quot;email\&quot;,\&quot;_hsenc\&quot;:\&quot;p2ANqtz-9dZGXPxdiYgakhOy4RRU5opXPTmpIYMZc0Xe3wnTkP9b2iYXJmNsvSx3k58jw0_hwRiI2u1WofMYErjpoHNYXd4kReEA\&quot;,\&quot;_hsmi\&quot;:\&quot;313511486\&quot;,\&quot;utm_content\&quot;:\&quot;313511486\&quot;,\&quot;utm_source\&quot;:\&quot;hs_email\&quot;},\&quot;isHubSpotCmsGeneratedPage\&quot;:false}&quot;},{&quot;clientTimestamp&quot;:1719582481564,&quot;level&quot;:&quot;INFO&quot;,&quot;message&quot;:&quot;Retrieved countryCode property from normalized embed definition response: \&quot;DE\&quot;&quot;},{&quot;clientTimestamp&quot;:1719582482455,&quot;level&quot;:&quot;INFO&quot;,&quot;message&quot;:&quot;Retrieved analytics values from API response which may be overriden by the embed context: {\&quot;hutk\&quot;:\&quot;d6e937d36dda6c56d285d7407e96e4ff\&quot;}&quot;}]}"
    sd_sf="ovmm"><iframe name="target_iframe_19bc8ea2-fbd8-4ff4-bd0e-11a77c82032a" style="display: none;"></iframe>
</form>

Text Content

Skip to content
 * Products
   * Platform
   * Detect
   * Protect
   * Website Threat Report
   * FREE PCI 4.0 Compliance Solution
 * Resources
   * Blog
   * White Papers
   * Webinars
   * Video
   * FAQ


 * Events
   * Field Events
 * Company
   * About Us
   * Leadership
   * Board & Investors
   * Partners
   * Press & News
   * Join Our Team
   * Contact Us
 * Request a Demo


POLYFILL – ADDITIONAL ANALYSIS AND DISCOVERY: SIGNS OF PII AND CREDENTIAL
HARVESTING, BROAD EXPOSURE THROUGH DIGITAL SUPPLY CHAIN




By Source Defense
6.27.24 – Initial Findings (Additional Research will Include Updated Date Stamp)

In the past 48 hours, the cybersecurity community has been reporting on a
significant incident involving Polyfill[.]io, a widely used JavaScript CDN
service. First reports by Sansec flagged the potential impact to 100k websites
around the world. Further reporting from Cloudflare indicates that reach may be
ten times greater or more. Initial reporting alerted that the service was found
to be redirecting unsuspecting website visitors to undesired, potentially
malicious websites. Additional research indicates that the domain was found to
be serving malware and the research conducted by Source Defense supports this
more alarming reality. While this domain has since been shut down, the owners of
the domain have stood up a new domain and are making claims that research and
reporting is inaccurate/is defamatory. Be wary!

The credible research by Sansec and Cloudflare is supported by our own findings.
Our findings show direct evidence of PII and credential harvesting. A number of
our clients were found to be running the service and our redaction policies
thwarted attempts to steal this data. Our systems show direct evidence of these
data theft attempts connected to Polyfill[.}io and there is a strong likelihood
that sites without JavaScript management and protection in place have fallen
victim to data theft – potentially for a prolonged period of time – at least
since February of 2024.

We have also seen an alarming scope of reach and broad exposure through the
digital supply chain where 3rd, 4th and nth parties connected to many of the
world’s largest websites have been calling upon the malicious domain. In one
instance we investigated yesterday, a world renowned, widely used payment
service was found to be calling on the malicious domain.

This supports the theory that the impact is likely many times greater than
already reported. Action should be taken immediately and investigations should
be undertaken to understand the potential exposure / scope of theft of sensitive
data.

Understanding the Polyfill Project and the Polyfill[.]io Incident 
As with many open source projects, Polyfill was designed to provide the
community with a tool to better the internet experience. As a legitimate
service, it allowed developers to use the latest web features while ensuring
compatibility with older browsers. As many older browser versions do not support
modern web features, this JavaScript helped by detecting these browsers and
automatically adding necessary code to enable advanced features.

Simple and pretty much standard practice – a third party is used by website
owners and/or their partners (i.e. – a third party calls on a 4th party) to
provide much needed features to enrich the web experience.

Polyfill[.]io is not connected to the legitimate Polyfill project. A reality
that was flagged for the community back in February of this year…but, as with
many things in Security – the message didn’t spread as far as it needed.

The Incident
On February 25th of this year, Andrew Betts – the legitimate author behind the
project flagged that the domain in question was both illegitimate and
potentially harmful. Direct words from Andrew on his X account below:

(https://x.com/triblondon/status/1761852117579427975)

Some four months later, we are met with the news that the domain is conducting
malicious redirects, dropping malware – and as per our findings, stealing data.


Our Observations at Source Defense

The Polyfill.io incident is a stark reminder of the vulnerabilities inherent in
our digital supply chains. At Source Defense, we focus on securing first party
and external party (third, fourth, nth party) scripts through real-time
monitoring and protection for exactly this reason. Code that is sourced from
opensource repositories are a target of adversaries of all types. 3rd, 4th and
nth party scripts – many of which are dynamic – cannot be vetted and must have
some form of control mechanism in place.

Our proactive measures related to JavaScript management and security ensured
that no data was harvested from our client environments – but we still monitor
the behavior of these scripts to report on risky and blocked activity.

A quick look into our platform reveals broader malicious activity than what has
been reported to this point.

We see signs of attempts to harvest multiple forms of PII and credentials data.
In this particular client environment, it should be noted that the FIRST
indication of attempts at data theft actually align to the same date that Andrew
Betts made his announcement on X.


Broad Reach / Exposure Through the Digital Supply Chain

One of the most under recognized issues with the use of JavaScript / with the
use of 3rd party partners is the fact that those partners often compile code
from other resources or call in additional parties to support their services. In
the case of this incident, we see direct evidence of website owners being
impacted by their supply chain. As mentioned previously, one incident we
investigated yesterday found that a widely used payment service was calling in
the Polyfill[.]io domain. The request map shown below demonstrates that
relationship / exposure.

Website owner doesn’t directly call on the malicious domain, 3rd party partner
does…


Moving Forward
This incident serves as a powerful reminder that even widely trusted JavaScript
libraries can be compromised. Initial validation of third-party scripts is not
sufficient; continuous real-time monitoring is crucial. Additionally,
vulnerabilities can often stem from fourth-party sources that are beyond the
direct control of website owners. Organizations need a robust solution that not
only validates these scripts at the start but also actively monitors and
prevents vulnerabilities from being exploited over time.  

We would encourage all organizations to implement real-time protection systems –
whether or not you use Source Defense, this situation highlights the wide
scoping vulnerability/gap in web security that we need to address as an
industry.

Regular reviews and relying on reputable providers are important, but they are
not enough. Real-time monitoring and immediate threat prevention are essential
to safeguard against dynamically changing scripts and emerging vulnerabilities.

Source Defense will continue monitoring this situation and provide any updates
under a new date stamp to this blog.





RELATED POSTS:

Navigating the New PCI DSS 4.0 Requirements: Key Takeaways from Industry Experts
[Recording] Community Enablement for 6.4.3 and 11.6.1
[Recording] PCI Dream Team Roundtable


PCI DSS 4.0 MAKES CLIENT-SIDE SECURITY A PRIORITY.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden
to your security teams.

Download the Guide


SOLUTIONS

 * Platform
 * Detect
 * Protect
 * Website Threat Report


INDUSTRIES

 * Financial Institutions
 * Online Retailers
 * Healthcare
 * Travel, Ticketing & Aviation
 * Media & Content Publishers


RESOURCES

 * Blog
 * White Papers
 * Webinars
 * Video
 * Research Lab
 * FAQ


COMPANY

 * About Us
 * Leadership
 * Board & Investors
 * Partners
 * Press & News
 * Join Our Team
 * Contact Us

KEEP YOUR WEBSITE SAFE

Get the latest news and updates to bulletproof your website

First name

Last name

Business Email*

 * Daily Blog Updates

 * Weekly Blog Updates

 * Monthly Blog Updates

 * I agree to allow Source Defense to store and process my personal data.


Request a Demo
 * linkedin
 * Facebook
 * Twitter

Privacy Policy | Terms of Service | ©2024 Source Defense. All Rights Reserved.
Scroll

We are using cookies to give you the best experience on our website.

You can find out more about which cookies we are using or switch them off in
settings.

Accept Reject
Close GDPR Cookie Settings
 * Privacy Overview
 * Strictly Necessary Cookies

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user
experience possible. Cookie information is stored in your browser and performs
functions such as recognising you when you return to our website and helping our
team to understand which sections of the website you find most interesting and
useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save
your preferences for cookie settings.

Enable or Disable Cookies

If you disable this cookie, we will not be able to save your preferences. This
means that every time you visit this website you will need to enable or disable
cookies again.

Enable All Save Settings