In context: Polyfills are snippets of JavaScript code that provide modern features on older web browsers. There’s nothing wrong with polyfills per se, but miscreants and cyber-criminals can easily abuse them to turn legit websites into threats against visitors.
Originally developed as an open-source project for offering JS polyfills to third-party developers, the polyfill.io domain is now a dangerous internet threat. Earlier this week, security analysts discovered that a mysterious Chinese entity named Funnull is abusing the domain to inject malicious code into websites.
Funnull is a content distribution network (CDN) provider believed to be operated by Chinese cyber-criminals, although details about the company turned out to be mostly made up or nonsensical. Over 100,000 websites use polyfills.io to make their code more compatible with older browsers. Funnul allegedly targets these sites in a classic, web-based supply chain attack.
Many popular websites, including the World Economic Forum, Intuit, and Jstor, use the cdn.polyfill.io domain. Anyone visiting one of the affected sites can become a victim of Funnul’s criminal operation, as it uses their browser to spread and run the malicious polyfill code injected into the domain.
If your website uses https://t.co/3xHecLPXkB, remove it IMMEDIATELY.
I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI
– Andrew Betts (@triblondon) February 25, 2024
When Funnull purchased polyfill.io in February, the project’s original developer, Andrew Betts, said that any website still using the domain had to remove it “immediately.” Betts created the polyfill service without owning the corresponding domain, so he had no control over its sale. Chinese criminals (or possibly state threat actors) have now started to abuse a project that could still provide some valuable functionality for web companies.
The most popular CDN providers, like Cloudflare, have already created forks of the original polyfill.io service, providing users and web developers a much safer choice for their backward compatibility efforts. Meanwhile, Google warned its advertising partners that “specific third-party libraries,” including polyfill.io, bootcss.com, and others, could be abused to redirect visitors away from their intended web destination.
Google Ads are now blocked on websites still using the original polyfill.io domain, while security analysts are urging developers to check their code for any use of the domain and remove it. The Polyfill.io GitHub repository, which started to receive complaints about malicious scripts, is currently unavailable to the public.
