Polyfill, a JavaScript CDN service, claimed to be defamed and relaunched on a new domain after researchers exposed it for delivering malicious code on more than 1,00,000 websites.
The service claimed to be “maliciously defamed” in a series of posts on X, formerly Twitter. On June 27, 2024, the Polyfill.io domain seems to have been shut down by its registrar, Namecheap.
The CDN company spoke against the allegations of its involvement in a large-scale supply chain attack. They said, “We found media messages slandering Polyfill. We want to explain that all our services are cached in Cloudflare, and there is no supply chain risk.”
The service providers relaunched a new domain, ‘polyfill.com,’ registered with Namecheap and is currently fully functional. While the company claims to be safe because its content is statically cached, security researchers’ findings said otherwise.
Andrew Betts created the original Polyfill project for JavaScript developers to integrate modern functionality into older browsers. Andrew Betts took it to X to advise website owners to remove it immediately.
After Cloudflare identified the CDN company as untrustworthy, Polyfill termed the remarks as “repeated, baseless and malicious defamation.” They further said that Cloudflare’s unethical strategy was to suppress competition while claiming to have secured $50 million in startup funding and possess a finalised product design.
In February, a Chinese entity called ‘Funnull’ bought polyfill.io and injected malicious code into scripts delivered via its CDN. Sansec researchers recently exposed the supply chain attack, which affected over 100,000 websites following the service’s script modification.
The domain was modified to insert malware on mobile devices visiting websites that embedded code directly from CDN.polyfill[.]io. It would redirect users to sports betting sites using a typo-squatted name, google-anaiytics[.]com, which was an intentional misspelling of Google Analytics.
Cloudflare also accused Polyfill.io for unauthorised use of its name and logo. Additionally, Google warned advertisers that their landing pages included malicious code and could redirect visitors to another website without the owner’s permission or knowledge.
For now, it would be advisable to refrain from using polyfill.io or polyfill.com and replace existing applications of said service with safe alternatives such as CloudFlare and Fastly.
In the News: Google Translate adds support for 110 new languages