Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because the polyfill.io domain is actively serving credential-harvesting prompts to any site still loading scripts from it, the malicious behavior requires no further attacker action, and multiple named consumer-facing brands remain exposed as of the item date. Impact is high because affected brands face direct customer-facing impersonation of their authentication UI — credential harvesting occurring under the brand's identity, with no malicious footprint on the brand's own infrastructure, making detection and customer communication exceptionally difficult.
Treatment rationale: The exposure is fully remediable by removing the polyfill.io script dependency — a discrete, low-cost engineering action — making immediate mitigation the only defensible primary treatment given active customer harm and brand impersonation at scale.
Third-Party / Supply-Chain Risk
This is a textbook NIST SP 800-161 supply-chain compromise: a shared CDN dependency (polyfill.io) was acquired by a threat-affiliated entity (Funnull CDN), reactivated, and weaponized against all downstream consumers simultaneously. Affected organizations exercised no control over the domain after acquisition. Risk materialized not through any vulnerability in the affected brands' own environments but entirely through a third-party script dependency retained in production. Any organization that has not audited third-party JavaScript inclusions since mid-2024 should treat this as an unverified exposure — presence of the polyfill.io script tag in any customer-facing page constitutes active risk.
Loss Exposure (illustrative)
Magnitude: moderate to high — illustrative $500K–$5M per materially exposed consumer brand, scaling with site traffic volume during exposure window and whether credentials were acted upon downstream
Frequency: Single discrete event per affected organization tied to the exposure window (late May 2026 onward until script removed); probability of recurrence is low once dependency is removed, but supply-chain reactivation events of this class have occurred more than once with this specific domain
Annualized: Illustrative one-time loss event in the $500K–$5M range for a high-traffic consumer brand; annualized figure is not meaningful for a discrete remediable incident — primary loss drivers are incident response, customer notification, brand remediation, and potential regulatory engagement, not ongoing frequency
Basis: Range driven by: (1) incident response and forensic investigation to determine whether credentials were submitted and by how many users; (2) customer notification costs if exposure is confirmed, scaling with site traffic and session volume during the window; (3) brand remediation and PR costs for consumer-facing brands with strong retail identity (Toshiba, Muji, Samsung context); (4) potential regulatory engagement costs under applicable data protection regimes. Upper bound reflects a high-traffic brand with confirmed credential submission events and regulatory inquiry. No third-party loss databases cited — derivation is structural and specific to this threat class.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Customer credential exposure via brand-impersonating prompts may invoke state and national breach-notification obligations if credentials were submitted and are attributable to an affected organization's property — verify with counsel.
• Incident may trigger cyber insurance notice obligations depending on policy definitions of 'security event' or 'third-party system failure' — verify with broker.
• Consumer-facing brands with PCI-DSS, PIPEDA, GDPR, or APPI obligations should evaluate whether the credential-prompt exposure constitutes a reportable incident under applicable data protection law — verify with counsel.
• Contractual SLAs or partner agreements referencing site integrity or customer data protection may be implicated if credential harvesting is confirmed during the exposure window — verify with counsel.
