Attention, website owners using polyfill.io for browser compatibility! The domain has been compromised and is now delivering malicious scripts. Enterprises relying on JavaScript fragments for compatibility may inadvertently be spreading trouble. Once a trusted hub for adding JavaScript polyfills to web pages, polyfill.io became a source of malicious scripts following its sale to Funnull, a Chinese company, in February 2024.
Polyfill, an open-source project ensuring modern JavaScript features work on older browsers, remains legitimate. However, its developer, Andrew Betts, clarified he never owned the domain, urging developers to remove any references to polyfill.io immediately.
Web security firm c/side discovered the domain now injects malicious code into devices, dynamically generating payloads based on HTTP headers and evading detection. Some compromised JavaScript files even contain fake Google Analytics links, redirecting users to unsavory websites. This poses a significant risk, potentially affecting up to 100,000 websites.
Cloudflare and Fastly have responded by offering alternative endpoints for polyfills, encouraging immediate replacement of polyfill.io links. Security vendors like Aikido now detect hostile domains, and Google Ads warns against loading third-party JavaScript from it.
An example to consider: Imagine a website using a polyfill from polyfill.io to ensure compatibility with Internet Explorer. After the domain’s sale, the same website now unknowingly delivers malicious scripts to its users, redirecting them to harmful sites. This scenario underscores the critical need for developers to audit their code and switch to secure alternatives.
In the wake of this attack, the developer community is urged to remain vigilant, ensuring their web applications are secure and trustworthy.
