polyfill.io, a popular JavaScript library service, can no longer be trusted and should be removed from websites.
Multiple reports, confirmed with data from our own client-side security system, Page Shield, have shown that the polyfill service was used, and could be used again, to inject malicious JavaScript code into users’ browsers. This is a real threat to the Internet in general given the popularity of this library.
We’ve released an automatic JavaScript URL rewriting service in the last 24 hours that will rewrite any link to polyfill.io on a Cloudflare-proxied website into a link to our mirror under cdnjs. This prevents site functionality from being broken and reduces the risk of a supply chain attack.
This feature is now automatically activated on every website with the free plan. Websites with a paid subscription can enable this feature with one click.
You can find this new feature under Security ⇒ Settings in any zone that uses Cloudflare.
Contrary to what is stated on the polyfill.io website, Cloudflare has never endorsed or authorized the polyfill.io service to use Cloudflare’s name on their website. We asked them to remove the false statement, but so far they have ignored our requests. This is another warning sign that they cannot be trusted.
If you are not using Cloudflare today, we strongly recommend that you remove all use of polyfill.io and/or find an alternative solution. And while the automatic replacement feature will handle most cases, the best practice is to remove polyfill.io from your projects and replace it with a secure alternative mirror like Cloudflare’s, even if you are a customer.
You can do this by searching your code repositories for instances of polyfill.io and replacing it with cdnjs.cloudflare.com/polyfill/ (the mirror of Cloudflare). This is a permanent change as the two URLs will display the same polyfill content. All website owners, regardless of the website using Cloudflare, should do this now.
How we came to this decision
In February, the domain polyfill.io, which hosts a popular JavaScript library, was sold to a new owner: Funnull, a relatively unknown company. At the time, we were concerned that this would pose a risk to the supply chain. This led us to set up our own mirror version of the polyfill.io code hosted under cdnjs, a JavaScript library repository sponsored by Cloudflare.
The new owner was unknown in the industry and had no track record of trust to manage a project like polyfill.io. The concern, highlighted even by the original author, was that if they exploited polyfill.io by injecting additional code into the library, it could cause far-reaching security vulnerabilities on the Internet that would affect several hundred thousand websites. Or it can be used to conduct a targeted supply chain attack on specific websites.
Unfortunately, that concern became a reality on June 25, 2024, when the polyfill.io service was used to inject malicious code that redirected users to other websites under certain circumstances.
We took the extraordinary step of using our ability to customize HTML on the fly to replace references to the polyfill.io CDN on our customers’ websites with links to our own secure mirror created in February.
In the meantime, other threat feed providers have also decided to mark the domain as malicious. We have not blocked the domain completely through any of the mechanisms we have in place as we are concerned that this could cause widespread web outages given the wide adoption of polyfill.io, with some estimates pointing to use on almost 4% of all websites .
Confirm data with Page Shield
The original report indicates that malicious code has been injected that would redirect users to gambling sites under certain circumstances. This was done by loading additional JavaScript that would perform the redirect, under a set of additional domains that can be thought of as Indicators of Compromise (IoCs):
https://www.googie-anaiytics.com/analytics.js
https://www.googie-anaiytics.com/html/checkcachehw.js
https://www.googie-anaiytics.com/gtags.js
https://www.googie-anaiytics.com/keywords/vn-keyword.json
https://www.googie-anaiytics.com/webs-1.0.1.js
https://www.googie-anaiytics.com/analytics.js
https://www.googie-anaiytics.com/webs-1.0.2.js
https://www.googie-anaiytics.com/ga.js
https://www.googie-anaiytics.com/web-1.0.1.js
https://www.googie-anaiytics.com/web.js
https://www.googie-anaiytics.com/collect.js
https://kuurza.com/redirect?from=bitget(note the intentional spelling mistake of Google Analytics)
Page Shield, our client-side security solution, is available on all paid plans. When enabled, it collects information about JavaScript files loaded by end-user browsers accessing your website.
By looking at the database of detected JavaScript files, we immediately found matches to the IoCs above, starting at 2024-06-08 15:23:51 (first seen timestamp on Page Shield detected JavaScript file). This was a clear indication that malicious activity was active and related to polyfill.io.
Replaced unsafe JavaScript links to polyfill.io
To achieve efficient HTML rewriting, we need to make lightning-fast HTML changes as responses flow through Cloudflare’s network. This was made possible by using ROFL (Response Overseer for FL). ROFL supports several Cloudflare products that need to modify HTML as it streams, such as Cloudflare Fonts, Email Obfuscation, and Rocket Loader
ROFL was developed entirely in Rust. Rust’s memory safety features are essential for ensuring protection against memory leaks while processing a staggering amount of requests, running into the millions per second. The compiled nature of Rust allows us to precisely optimize our code for specific hardware configurations, delivering performance gains compared to interpreted languages.
ROFL’s performance allows us to rewrite HTML on the fly and customize polyfill.io links quickly, securely, and efficiently. This speed helps us reduce any extra latency added by processing the HTML file.
When enabled, for each HTTP response with an HTML content type, we parse all source attributes from the JavaScript script tag. If a link to polyfill.io is found, we rewrite the src attribute to link to our mirror instead. We assign the appropriate version of the polyfill service, while leaving the query string untouched.
The logic is not triggered if a Content Security Policy (CSP) header is found in the response. This ensures that we don’t replace the link while violating CSP policy and potentially breaking the website.
Enabled by default for free customers, optional for all others
Cloudflare proxies for millions of websites, and a large portion of these sites have our free plan. Customers with free plans tend to have simpler applications, while lacking the resources to update and quickly respond to security issues. We have therefore decided to enable the feature by default for sites with our free plan, as it reduces the chance of problems while keeping a very large portion of applications using polyfill.io safe.
Customers with a paid subscription, on the other hand, have more complex applications and respond faster to security alerts. We are confident that most paying customers using polyfill.io and Cloudflare will appreciate the ability to virtually patch the issue with a single click, while choosing when to do so.
All customers can disable the feature at any time.
This isn’t the first time we’ve decided that a security issue was so widespread and serious that we would enable protection for all customers, regardless of whether they were a paying customer or not. In 2014 we made Shellshock protection available to everyone. In 2021, when the log4j vulnerability was disclosed, we rolled out protection for all customers.
If you use Cloudflare, you can remove polyfill.io with a single click on the Cloudflare dashboard by going to your zone ⇒ Security ⇒ Settings. If you are a free customer, the rewrite is automatically active. We hope this feature will help you solve the problem quickly.
Nevertheless, you will eventually need to search your code repositories for instances of polyfill.io and replace it with an alternative provider, such as Cloudflare’s secure mirror under cdnjs (https://cdnjs.cloudflare.com/polyfill/). Website owners who don’t use Cloudflare should also complete these steps.
The underlying bundle links you should use are:
For minified: https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js For non-minified: https://cdnjs.cloudflare.com/polyfill/v3/polyfill.js
Doing this will ensure that your website is no longer dependent on polyfill.io.
