More than 110K websites using the Polyfill.io service have been impacted by a supply chain attack after a Chinese company bought the service earlier this year. The CDN delivered polyfills, JavaScript for providing modern functionality for older browsers.
Funnull, the new owners, have been injecting malware on mobile devices via any site that embeds cdn.polyfill.io for months, according to a research report from Sansec;
The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely. Sansec decoded one particular malware (see below) which redirects mobile users to a sports betting site using a fake Google analytics domain (www.googie-anaiytics.com). The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.
Tens of thousands of companies and organizations have been warned to stop using the service immediately. Those impacted include high-profile users Atlassian, Sendgrid, JSTOR, Intuit, the World Economic Forum, FlatIcon, SiteGround, and many government websites. Google has also been sending out warnings to those with landing pages affected by this attack.
Namecheap, the domain’s registrar, has since decided to take action and the site is now unavailable.
The polyfill-service package on npm hasn’t been updated for six years but still receives more than 2,000 downloads per week. Its ownership was not transferred in the sale of the service.
It’s important to note that self-hosted polyfill.js instances and those hosted by more trustworthy entities are not impacted. Both Cloudflare and Fastly have alternative clones of the service available now.
Polyfill Service Denies Supply Chain Attack Accusations#
The new owners of the Polyfill Service began tweeting yesterday that accusations of a supply chain attack are “slanderous” and that all their services are cached in Cloudflare.
The service claims it has been “defamed,” and would not risk its own reputation while working on their commercialization plan for the CDN.
They have relaunched their service on polyfill.com, with a website that some have noted appears to be a hasty and sloppy copy and paste of jsDelivr’s website.
History of Polyfill.io Sale and Compromise#
The polyfill.js JavaScript library was created by FT.com’s development team nearly 15 years ago and was adopted by numerous projects.
Initially developed to help ensure web applications were compatible with older browsers that didn't support newer JavaScript features, polyfill.js quickly gained traction within the web development community. It allowed developers to write code using the latest standards while ensuring compatibility with older browsers by "filling in" missing functionalities.
The library was originally hosted on the polyfill.io domain, but it has since been moved to other hosting services like cdnjs to mitigate security concerns after the change in ownership of the original domain.
Jake Champion, former engineer at FT who worked on the Polyfill Service, transferred ownership of the domain and GitHub repository to Funnull on February 24, 2024. He has since made his X account private, following the backlash from the supply chain attack. Champion is currently employed by Fastly, which previously hosted the CDN for free but then created its own alternative open source fork of the Polyfill service in February 2024 following the sale.
Warnings about the new ownership have been rolling in for months. Shortly after the sale in February, Fastly DevRel Andrew Betts, who created the Polyfill Service Project, urged people to remove polyfill.io immediately from their websites.
“No website today requires any of the polyfills in the polyfill.io library,” Betts said. “Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.”
He also warned against websites serving popular third-party scripts.
“If you own a website, loading a script implies an incredible relationship of trust with that third party,” Betts said. “Do you actually trust them?”
Betts was the original maintainer of the project but not the most recent one. Champion previously announced his agreement to transfer ownership to Funnull but did not disclose any further details about the transaction. That tweet has now been deleted.
Concerns about the CDN having been compromised were posted to the issues on the Polyfill.io GitHub account multiple times and subsequently deleted by the new owners. These reports were captured on the Internet Archive.
Notos CTO Renaud Chaput posted to the FormatJS repository, warning against the project recommending the service in a GitHub issue months ago. Others expressed concerns about it having been sold to a company that is “notorious for providing service for the betting and pornography industries.”
Chaput also posted about the issue on Mastodon, highlighting the deeper problem of maintainer burnout and lack of funding for open source software.
“Maintaining an Open Source project is hard work, lot of pressure, very often no money, and many many people end up being burned out,” Chaput said.
“Then, sometimes, a company comes up and offers you a large sum of money for it, enough for you to live a better life and never have to feel this pressure, and you accept. This is nowadays very common for browser extensions, can you guess why?
“This is very unfortunate, but will continue to happen until we figure out how to make money-makers (= companies) properly finance the OSS they are relying upon, and getting maintainers out of burnout.”
Recommended Actions for Polyfill.io Users#
There are a number of alternatives for those who are still using the Polyfill.io service. Here are recommendations for moving forward without this service:
- Any site using cdn.polyfill.io should remove it immediately.
- If you’re not sure if you are using the service, the Polykill website, which has been tracking this supply chain vulnerability, recommends that developers use a code search tool or IDE to search for instances of cdn.polyfill.io in source code across all projects within the organization.
- If polyfills are still needed, both Fastly and Cloudflare are providing trustworthy, drop-in alternatives.
- Organizations can also self-host the repository in a safe and controlled environment.
This incident is a strong warning to audit the code of your projects for any third-party services that may not be trustworthy or may have silently transferred to new ownership. Regularly reviewing and updating dependencies can help reduce the risk of being caught up in these kinds of attacks in the future.