logo

Polyfill claims it has been 'defamed', returns after domain shut down

supply chain

The owners of Polyfill.io have relaunched the JavaScript CDN service on a new domain after polyfill.io was shut down as researchers exposed it was delivering malicious code on upwards of 100,000 websites.

The Polyfill service claims that it has been "maliciously defamed" and been subject to "media messages slandering Polyfill."

Polyfill: "Someone has maliciously defamed us"

The Polyfill.io domain appears to have been shut down as of today by its registrar Namecheap.

The service owners have, however, relaunched the service on a new domain and claim that there are "no supply chain risks."

In a series of posts on X (formerly Twitter), the dubious CDN company has spoken out against allegations of it being involved in a large scale supply chain attack:

"We found media messages slandering Polyfill. We want to explain that all our services are cached in Cloudflare and there is no supply chain risk," writes Polyfill.

The service further claims that it has been "defamed" and dismissed that a risk exists from usage of its CDN:

Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website,
but no one would do this as it would be jeopardize our own reputation.

We have already…

— Polyfill (@Polyfill_Global) June 26, 2024

The service providers have relaunched the service on polyfill.com—also registered with Namecheap and fully functional at the time of test by BleepingComputer.

Trust no polyfill just yet

Despite Polyfill's lofty claims of being safe for use, however, facts and findings made by security practitioners prove otherwise.

Polyfill returns on a new domain
Polyfill returns on a new domain (Feross Aboukhadijeh via X)

The original open source project, Polyfill was released for JavaScript developers to add modern functionality to older browsers that do not usually support such features. But, its creator, Andrew Betts never owned and had no association with the polyfill.io domain which provided Polyfill's code via a CDN:

tweet

In February, a Chinese entity named 'Funnull' bought polyfill.io and introduced malicious code in scripts delivered by its CDN.

Sansec researchers recently identified that the supply chain attack resulting from Polyfill.io's modified scripts had hit more than 100,000 websites. The domain would inject malware on mobile devices visiting websites that embedding code directly from cdn.polyfill[.]io.

Yesterday, cloud security company, Cloudflare also raised eyebrows on Polyfill.io's unauthorized use of the Cloudflare name and logo. It stated that Polyfill.io's failure to remove the "false statement" from their website despite being contacted by Cloudflare was "yet another warning sign that they cannot be trusted."

Cloudflare logo in use by Polyfill.io
Polyfill.io bearing the 'Cloudflare Security Protection' message that could be misconstrued
(BleepingComputer)

Cloudflare further corroborated Sansec's claims that code delivered by Polyfill.io's CDN was in fact redirecting users to sports betting sites and did so using a typosquatted domain name (google-anaiytics[.]com) which was an intentional mispelling of the Google Analytics one.

As such, websites and developers should refrain from using either polyfill.io or polyfill.com, and consider replacing existing usage of the service with safe alternatives set up by Cloudflare and Fastly.


Free security scan for your website