NEWS

Earlier this year, a Chinese company named Funnull acquired the polyfill[.]io domain. Subsequently, the polyfill CDN started delivering malicious JavaScript code which was automatically deployed on websites embedding scripts from cdn.polyfill[.]io. Due to this acquisition, this code was used to redirect mobile visitors to scam sites.  

Over 100,000 websites using the previously popular Polyfill JS open-source project are vulnerable to attacks that redirect traffic to sports betting and pornography sites. Polyfill.js was used to support outdated browsers with modern functionality and were historically essential for web developers to ensure their applications worked smoothly across various browser versions, acting as a bridge to enable newer JavaScript features on older browsers, thereby maintaining a consistent user experience. 

When a polyfill library is fetched from a CDN, the application depends on the integrity and security of the external server. If the CDN or the hosted library is compromised, as seen in the recent attack on cdn.polyfill[.]io, the compromised code can be injected and executed within the user’s browser. This malicious code can redirect users to phishing sites, steal sensitive information, or spread malware and jeopardizes both endpoint and network security.  

Tens of thousands of companies and organizations have been warned to stop using the service immediately. Those impacted include high-profile users Atlassian, Sendgrid, JSTOR, Intuit, the World Economic Forum, FlatIcon, SiteGround, and many government websites. Google has also sent warnings to those with landing pages affected by this attack. 

Polyfill users were alerted in February about the potential for malicious activity and were advised to discontinue using the polyfill[.]io domain after its acquisition by Funnull, a Chinese company. After the sale, Andrew Betts, the developer of the open-source Polyfill project, urged users in a post on X to remove references to the content delivery network (CDN), partially because he never owned the site. 

“I created the Polyfill service project, but I have never owned the domain name and I have had no influence over its sale,” Betts wrote.  

Recommended Actions for Polyfill.io Users 

For those still utilizing the Polyfill.io service, there are several alternatives available. Here are some recommendations for transitioning away from this service: 

• Any site using cdn.polyfill.io should remove it immediately. 
• If you’re unsure whether you are using the service, the Polykill website, which has been monitoring this supply chain vulnerability, suggests that developers use a code search tool or IDE to look for instances of cdn.polyfill.io in source code across all projects within the organization. 
• If polyfills are still needed, both Fastly and Cloudflare offer reliable, drop-in alternatives. 
• Organizations can also opt to self-host the repository in a secure and controlled environment. 

If you or your organization would like to shield Polyfill related traffic, please contact support@centripetal.ai. 

Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.   

Resources: 

• Polyfill.io supply chain attack hits 100,000+ websites — all you need to know
• Once benign Polyfill.io code now exposes 100k+ websites to attack
• Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet
• Polyfill supply chain attack embeds malware in JavaScript CDN assets