Website administrators are urged to remove the Polyfill.io service immediately after it was found to be providing malware to site visitors.
A polyfill is a piece of code (usually JavaScript) used to provide modern functionality in older browsers that do not support it natively. The term originates from the idea of ”filling” gaps in a browser's feature set, allowing developers to use modern web standards and APIs without worrying about compatibility issues. Polyfills allow developers to write code using the latest standards while ensuring it still works in older environments.
The Polyfill.io service is quite popular: more than 100,000 sites currently use it and it was sold in February 2024 to a Chinese company. Back then, the original owners of the project warned its users to remove the tool immediately, as they were now susceptible to a supply chain attack. Both Cloudflare and Fastly set up their own versions of the Polyfill.io service, providing users with a reliable service.
Google's warning
“Today, no website requires any of the library polyfills,” tweeted the developer of the original Polyfills service project. “Most of the features added to the web platform are quickly adopted by all major browsers, with a few exceptions that generally cannot be completed anyway, such as Web Serial and Web Bluetooth.”
A few months later, cybersecurity experts at Sansec warn that Polyfill was distributing malware.
“In February this year, a Chinese company purchased the Github domain and account. Since then, this domain was discovered injecting malware into mobile devices through any site that embeds cdn.polyfill.io,” Sansec said.
Google also intervened, notifying affected advertisers about their landing pages now possibly redirecting visitors away from their intended destination and toward possibly malicious websites.
“The code causing these redirects appears to come from a few different third-party web resource providers, including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org,” BleepingComputer quotes an email from Google.
