Polyfill.io Supply Chain Attack
Description
The website loads JavaScript code from polyfill.io, a content delivery network (CDN) that was compromised in a supply chain attack. After being acquired by Funnull, a China-based company, the polyfill.io service was modified to inject malicious JavaScript code into websites that reference it. This affects any site using script tags or imports pointing to cdn.polyfill.io or polyfill.io domains.
Remediation
Immediately remove all references to polyfill.io from your website. Follow these steps:
1. Identify all script tags loading from polyfill.io domains:
<!-- REMOVE these references --> <script src="https://cdn.polyfill.io/..."></script> <script src="https://polyfill.io/..."></script>
2. Replace with one of these secure alternatives:
Option A - Use Cloudflare's cdnjs (community mirror):
<script src="https://cdnjs.cloudflare.com/polyfill/"></script>
Option B - Use Fastly's official mirror:
<script src="https://polyfill-fastly.io/v3/polyfill.min.js"></script>
Option C - Self-host polyfills by bundling only the features your application needs using build tools like Webpack or Vite.
3. Clear your CDN and browser caches to ensure the malicious code is no longer served.
4. Review your Content Security Policy (CSP) headers to prevent unauthorized script sources in the future.