Website administrators are urged to immediately remove the Polyfill.io service after it was found to be providing malware to site visitors.
A polyfill is a piece of code (usually JavaScript) used to provide modern functionality in older browsers that do not support it natively. The term comes from the idea of ”filling” the gaps in a browser’s features, allowing developers to use modern web standards and APIs without worrying about compatibility issues. Polyfills allows developers to write code according to the latest standards, while ensuring it still works in legacy environments.
The Polyfill.io service is quite popular, with over 100,000 sites using it today – and it was sold to a Chinese company in February 2024. At the time, the project’s original owners warned users to uninstall the tool immediately as they were now susceptible to a supply chain attack. Both Cloudflare and Fastly have set up their own versions of the Polyfill.io service, giving users a familiar service.
Google’s warning
“No website today requires any of the polyfills in the http://polyfill.io library,” the original developer of the Polyfills service project tweeted. “Most of the features added to the Web platform are quickly adopted by all major browsers, with a few exceptions that typically cannot be polyfilled anyway, such as Web Serial and Web Bluetooth.”
A few months later, cybersecurity experts from Sansec warned that Polyfill was spreading malware.
“In February this year, a Chinese company purchased the domain and Github account. Since then, this domain has been caught injecting malware into mobile devices through any site that embeds cdn.polyfill.io,” Sansec said.
Google also stepped in and informed affected advertisers about their landing pages potentially now redirecting visitors from their intended destination to potentially malicious websites.
“The code causing these redirects appears to come from a number of different third-party web resource providers, including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org,” BleepingComputer quoted an email from Google as follows.