Polykill

Web Content Risk Tooling

Polykill is used to monitor and observe how scripts and other resources running within your web application behave along with risks associated with them.

Three options for getting started:

Free

Locally run a Chrome browser extension that provides a risk report of all the scripts and resources loading on your website.

Free (Coming Soon!)

Need full site coverage? Add this JavaScript file across your entire application or specific pages to receive regular reporting.

Free

Don't want to do any heavy lifting? Polykill automatically scans your site. The process is fully automated and doesn't require any installation.

If you'd like to run the Polykill web content risk assessment to see a sample report, submit your site and email here.

The Backstory

In February 2024, the domain and GitHub account for Polyfill.io were acquired by a Chinese company named Funnull. Soon after, the new owners modified the script to inject malicious code. This resulted in a supply chain attack affecting over 100,000 websites. The malicious code redirected users to scam sites, such as fake sports betting pages, through techniques resistant to reverse engineering.News

The Polyfill.io supply chain attack underscores a critical vulnerability in web security: the potential risks associated with third-party scripts. Any external script, no matter how widely trusted or essential it may seem, can become a vector for malicious activity if compromised.

The Solution

To prevent these types of incidents, it’s crucial to understand the risks associated with every script on your site. Top recommendations and regulatory guidance include:

  • Incorporate robust JavaScript observability into your web security practices.
  • Use Content Security Policies (CSPs) and Subresource Integrity (SRI).
  • Verify script sources and conduct regular audits.
  • Hosting critical scripts on your infrastructure or using trusted mirrors adds an extra layer of protection.

The Polykill Risk API was created to report on specific JavaScript files (not just URLs) that are being loaded across a given website to ensure safety through advanced browser runtime analysis. Most URL/malware threat feeds are based on TLDs and many still don’t report cdn.polyfill.io as high risk. To make matters worse, these problems cannot be foreseen in the CI/CD process with code scanners like Snyk, Veracode and other SCA tools. Polykill takes a different approach by inventorying and analyzing the behavior of all JavaScript loaded on a given site. The Risk API correlates many different sources to understand if JavaScript is malicious or collecting user input.

The tooling is simple, free and open source. We host the analysis script as a service to those who want to include it on their site or just copy and paste it as a first party script.