June 27, 2024 at 06:57AM
The Polyfill.io JavaScript CDN service was shut down due to researchers discovering malicious code being delivered to over 100,000 websites. The service has since been relaunched on a new domain, polyfill.com, claiming to have no supply chain risks. However, doubts remain due to security practitioners’ findings and concerns raised by Cloudflare. Safe alternatives are recommended.
Based on the meeting notes provided, it seems that there is a significant concern about the security and trustworthiness of Polyfill.io and Polyfill.com. It has been reported that the original open source project Polyfill was taken over by a Chinese entity named ‘Funnull,’ which injected malicious code into the scripts delivered by its CDN. This resulted in a supply chain attack affecting over 100,000 websites.
Furthermore, Cloudflare has also raised concerns about the unauthorized use of its name and logo by Polyfill.io. It appears that the code delivered by Polyfill.io’s CDN was redirecting users to sports betting sites and using a typosquatted domain name.
In light of these findings and warnings, it would be advisable for websites and developers to refrain from using Polyfill.io and Polyfill.com and instead consider switching to safe alternatives provided by trusted companies such as Cloudflare and Fastly. These findings suggest that there are serious security and trust issues associated with the Polyfill services.