Polyfill CDN Compromise Enables Credential Theft on Toshiba and Muji Websites
Toshiba and Muji websites served malicious login prompts via a compromised polyfill library, enabling attackers to harvest user credentials from visitors. This represents a supply-chain attack exploiting third-party JavaScript dependencies.
Affected
A compromised polyfill library injected fake login prompts onto at least two major commercial websites, demonstrating how third-party JavaScript dependencies represent a critical attack surface. Polyfill libraries are commonly used to provide compatibility shims for older browser APIs, making them persistent inclusions on many production websites. When these libraries are compromised or hosted on vulnerable CDNs, attackers gain direct code execution within the browser context of affected sites, with access to cookies, localStorage, and the ability to intercept user input.
The technical attack vector exploited a fundamental tension in web architecture: developers trust polyfill CDNs as infrastructure, loading them before or alongside security controls, and often without the scrutiny applied to first-party code. The malicious prompts were convincing enough to pass initial user scrutiny, suggesting either sophisticated DOM spoofing or placement timing that mimicked legitimate authentication flows. This attack bypassed traditional perimeter security and website-level protections because it originated from a trusted external source.
Both Toshiba and Muji likely discovered the compromise through user reports or log analysis rather than through their own security monitoring, indicating a reactive rather than proactive detection posture. The delay between initial compromise and public warning is material: during this window, attackers could harvest credentials from hundreds or thousands of users. Victims are particularly vulnerable if they reused credentials across services or if the stolen accounts held payment information.
Organisations must audit all external JavaScript dependencies, enforce subresource integrity (SRI) headers to prevent tampering, and maintain an inventory of third-party CDN usage. Developers should favour self-hosted polyfills or evaluate whether polyfill bundles are necessary for modern browser support. Content security policy (CSP) headers, when properly configured, can restrict inline script execution and reduce impact, though they did not prevent this attack vector.
This incident reflects a broader systemic risk in modern web architecture: the concentration of trust in a small number of JavaScript infrastructure providers. The polyfill ecosystem is underfunded and often maintained by individuals rather than organisations with security resources, creating an asymmetry between the scope of potential impact and the security maturity of these projects.
Sources