Polykill
Sites reported to be using cdn.polyfill.io (as of Feb 27,2024)
This website was created to bring awareness to a major JavaScript supply chain vulnerability with a well known and broadly used JavaScript file hosted on the polyfill.io domain name.
As of February 24, 2024, cdn.polyfill.io, the domain hosting the polyfill.io JavaScript library, has been acquired by a Chinese company named Funnull. Polyfill.io is a widely used JavaScript library integrated into many of the world's most well known web applications. All polyfill.io traffic is now pointing to the Baishan Cloud CDN (https://www.baishancloud.com/).
There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser.
To remove the domain "cdn.polyfill.io" from your web properties, follow these steps:
Step 1: Identify Usage
Developers should use a code search tool or IDE to search for instances of cdn.polyfill.io in source code across all projects within the organization.
Step 2: Replace with a Secure Version
Fastly has taken a snapshot of the code before it was sold to Funnull and are hosting it here (https://polyfill-fastly.io). Use this remote host until you are able to download locally and host yourself. Developers should download the polyfill.js file locally, scan it for vulnerabilities and host on internal systems. Replace all instances of <script src="//cdn.polyfill.io"... with the new secure <script src="//polyfill-fastly.io"... or locally hosted polyfill JavaScript file.
To follow updates, please refer to this github issue (https://github.com/polyfillpolyfill/polyfill-service/issues/2834).
Polyfill.js History
The polyfill.js JavaScript library was created within the FT.com's development team, was heavily evangelized and written about around the 2010 time period, and subsequently picked up for use by a large part of the web development community at that time.