Article Details

Polyfill claims it has been 'defamed', returns after domain shut down. The owners of Polyfill.io have relaunched the JavaScript CDN service on a new domain after polyfill.io was shut down as researchers exposed it was delivering malicious code on upwards of 100,000 websites. The Polyfill service claims that it has been "maliciously defamed" and been subject to "media messages slandering Polyfill." Polyfill: "Someone has maliciously defamed us" The Polyfill.io domain appears to have been shut down as of today by its registrar Namecheap. The service owners have, however, relaunched the service on a new domain and claim that there are "no supply chain risks." In a series of posts on X (formerly Twitter), the dubious CDN company has spoken out against allegations of it being involved in a large scale supply chain attack: "We found media messages slandering Polyfill. We want to explain that all our services are cached in Cloudflare and there is no supply chain risk," writes Polyfill. The service further claims that it has been "defamed" and dismissed that a risk exists from usage of its CDN: Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize our own reputation. We have already… The service providers have relaunched the service on polyfill.com—also registered with Namecheap and fully functional at the time of test by BleepingComputer. Trust no polyfill just yet Despite Polyfill's lofty claims of being safe for use, however, facts and findings made by security practitioners prove otherwise. The original open source project Polyfill was released for JavaScript developers to add modern functionality to older browsers that do not usually support such features. But, its creator, Andrew Betts never owned and had no association with the polyfill.io domain which provided Polyfill's code via a CDN: If your website uses https://t.co/3xHecLPXkB, remove it IMMEDIATELY. I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI In February, a Chinese entity named 'Funnull' bought polyfill.io and introduced malicious code in the scripts delivered by its CDN. Sansec researchers recently identified that the supply chain attack resulting from Polyfill.io's modified scripts had hit more than 100,000 websites. The domain would inject malware on mobile devices visiting websites that embedding code directly from cdn.polyfill[.]io. Yesterday, cloud security company, Cloudflare also raised eyebrows on Polyfill.io's unauthorized use of the Cloudflare name and logo. It stated that the failure of polyfill.io owners to remove the "false statement" from their website despite being contacted by Cloudflare was "yet another warning sign that they cannot be trusted." Cloudflare further corroborated Sansec's claims that code delivered by Polyfill.io's CDN was in fact redirecting users to sports betting sites and did so using a typosquatted domain name (google-anaiytics[.]com) which was an intentional mispelling of the Google Analytics one. Websites and developers should refrain from using polyfill.io and polyfill.com and consider switching to safe alternatives set up by Cloudflare and Fastly.