Part 2/5:

This malicious code, when loaded by unsuspecting websites, would surreptitiously download and execute a heavily obfuscated JavaScript payload from a Pastebin link. The purpose of this payload is still under investigation, but it is suspected to be a browser exploit targeting vulnerabilities in the V8 JavaScript engine used by Chrome and other browsers.

V8 is written in C++, which means it can contain memory corruption vulnerabilities that can be exploited via carefully crafted JavaScript. By injecting this exploit into the Polyfill library, the attackers were able to potentially gain code execution on the computers of anyone visiting a website using the compromised Polyfill CDN.