If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately

The polyfill.io domain is being used to infect more than 100,000 websites with malicious code after what's said to be a Chinese organization bought the domain earlier this year, researchers have said.

Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the polyfill.io domain to immediately remove it.

The site offered polyfills – useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers.

Now we're told polyfill.io is serving suspicious code hidden in those scripts, meaning anyone visiting a website using the domain will end up running potentially bad stuff in their browser.

"The cdn.polyfill.io domain is currently being used in a web supply chain attack," security monitoring biz c/side's Carlo D'Agnolo said in an advisory. "It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users." 

Additionally, we understand Google has started blocking Google Ads for websites that use the impacted code presumably to reduce traffic to them and cut the number of potential victims. Affected site owners have also been alerted by the internet giant.

"We detected a security issue recently that may affect websites using certain third-party libraries," a Google spokesperson told The Register. "To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue."

Sites that embed poisoned scripts from polyfill.io and also bootcss.com may end up unexpectedly redirecting visitors away from the intended location, and send them to undesirable sites, Google told advertisers.

More than 100,000 websites are already carrying the hostile scripts, according to the Sansec security forensics team, which on Tuesday claimed Funnull, a CDN operator believed to be Chinese that bought the polyfill.io domain and its associated GitHub account in February, has since been using the service in a supply chain attack.

Though Funnull claims to be based in Slovenia, and it says it has offices around the world, the listed addresses are nonsensical, the website's underlying language is Mandarin, it may actually be located in the Philippines, and there are other odd things about the organization, leading to folks suspecting the biz is actually Chinese in nature.

Polyfill.io is used by academic library JSTOR as well as Intuit, the World Economic Forum, and tons more.

Since February, "this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," Sansec, an e-commerce security company, warned, adding that any complaints about the malicious activity are quickly vanished from the GitHub repository.

"The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely," Sansec noted, adding the code may, for example, redirect "mobile users to a sports betting site using a fake Google analytics domain."

• It may take decade to shore up software supply chain security, says infosec CEO
• What happens when the maintainer of a JS library downloaded 26m times a week goes to prison for killing someone with a motorbike? Core-js just found out
• Over 170K users caught up in poisoned Python package ruse
• In the rush to build AI apps, please, please don't leave security behind

In fact, Andrew Betts, who created the open source Polyfill project in the mid-2010s, told people earlier this year to not use polyfill.io at all. As we understand it, Betts maintained the project and contributed to its GitHub repo until a few years ago, arguing now that it's really no longer needed.

In February, he said he had nothing to do with the domain name and GitHub account's transfer to the mysterious CDN, and urged everyone to remove its code from their webpages as a precaution following the change in ownership.

"If you own a website, loading a script implies an incredible relationship of trust with that third party," he Xeeted at the time. "Do you actually trust them?"

Soon after CDN providers including Fastly, where Betts works today, and Cloudflare created mirrors of polyfill.io so that sites could continue to use the code for the meanwhile without having to load in stuff from a suspected Chinese entity.

"The concerns are that any website embedding a link to the original polyfill.io domain will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare's Sven Sauleau and Michael Tremante said in February.

"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised," they added.

Now that seems to be the case. ®

Editor's note: This article was updated to clarify and include further observations about Funnull. Also, check out our follow-up coverage here.