Article Details

Polyfill.io owner punches back at 'malicious defamation' amid domain shutdown. No supply-chain attacks to see over here!. After having its website shut down, the polyfill.io owner is fighting back against claims it smuggled suspicious code onto websites all across the internet. In a series of angry Xeets over the past three days, what's likely the CDN operator that owns the Polyfill service accused CDN titan Cloudflare, the media, and others of "malicious defamation" and "slander."  "We have no supply chain risks," the org claimed in one of several posts. What is polyfill.io? It offers polyfills – bits of JavaScript code that automatically add functionality to older browsers that is found in newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers. Websites can load and run polyfill.io's code every time someone visits one of their pages. This is fine if the code is harmless, but if it turns harmful, that'll result in sites executing someone else's malicious code in visitors' browsers without anyone immediately realizing it. That code could redirect people to bad places, spy on what they do on the page, and more. The angry missives follow multiple warnings from experts in the computer security industry — and even the creator of the open source Polyfill service project — telling anyone with a website using any JavaScript code from the polyfill.io domain to immediately remove it. Following all that criticism, domain registrar Namecheap shut down polyfill.io. The site has since relaunched as polyfill[.]com, billed as a "free CDN for open source projects." Back in February, CDN operator Funnull bought the .io domain and its associated GitHub account. Sometime after that, polyfill.io was caught sneaking naughty code onto sites in a supply-chain attack, according to e-commerce security outfit Sansec. More than 100,000 websites were at the start of the week carrying the site's scripts, the Sansec forensic team said. We should note Funnull claims to be based in Slovenia while also "made in the USA," its various office addresses around the world on its website don't exist, and its WhatsApp and WeChat contact number is in the Philippines. The site's underlying language and Telegram profile is in Mandarin, leading many to suspect the business is a Chinese entity. The Polyfill Twitter account meanwhile says it's based in the UK. Following the domain's sale in February, Cloudflare warned about it posing a supply-chain risk: Whoever controlled the .io could change the JavaScript code it offered to malicious scripts and infect a ton of sites all in one go. By Wednesday, Cloudflare said those worries had become a reality, and reported the Polyfill.io service was being used to inject malicious code into browsers. Specifically, according to Cloudflare, since at least June 25, "the polyfill.io service was being used to inject nefarious code that, under certain circumstances, redirected users to other websites." Sansec went into more detail in its earlier write-up, noting: The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely. Sansec decoded one particular malware which redirects mobile users to a sports betting site using a fake Google analytics domain. The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats. "This is a real threat to the internet at large given the popularity of this library," Cloudflare CEO and co-founder Matthew Prince noted in an advisory on Wednesday along with CTO John Graham-Cumming and senior director Michael Tremante.  The cloud giant also spun up an automatic JavaScript URL rewriting service to make it easier for any Cloudflare-proxied websites to replace code from polyfill.io with that from Cloudflare's mirror. "This will avoid breaking site functionality while mitigating the risk of a supply chain attack," the trio wrote. This feature has already activated on any website with a free plan, and paid-plans can turn it on with one click. On Thursday, again via X/Twitter, whoever is behind the Polyfill service responded, describing Cloudflare's actions as "deplorable." "Moving forward, I will be fully dedicated to developing a global CDN product that surpasses Cloudflare, showcasing the true power of capital," they added. The site owner claimed to have $50 million in funding, and added "the product design has been finalized."