Recently, concerns have arisen regarding the security of polyfill.io, a widely-used JavaScript library service. Polyfill is a popular library that incorporates support for modern functions in web browsers. Multiple reports have identified instances where polyfill.io was exploited to inject malicious JavaScript into users’ browsers, redirecting to gambling / cryptocurrency websites via a spoofed Google Analytics domain (www.googie-anaiytics[.]com), note the mis-spelling. This poses a substantial risk due to the service’s widespread adoption across the Internet.

In February of this year, the domain and associated GitHub account were acquired by China-based content delivery network (CDN) company Funnull. Subsequently, instances of malware injection targeting mobile devices were detected on sites using cdn.polyfill.io.

The original author of polyfill.io now advises against its use, noting its obsolescence for modern browsers. Both Fastly and Cloudflare offer alternative, secure solutions for those still requiring polyfill functionality.

Google has commenced blocking Google Ads for eCommerce sites that use polyfill.io in order to help address this supply chain attack.

Workarounds and Mitigations

Secure-ISS recommends that clients have their developers assess any web assets that that may be utilising polyfill and seek alternative solutions, as this resource is currently considered to be compromised.

Further reading

https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet

https://thehackernews.com/2024/06/over-110000-websites-affected-by.html

https://www.darkreading.com/remote-workforce/polyfillio-supply-chain-attack-smacks-down-100k-websites