A New Security Exploit Is Making Its Rounds via Polyfill.io and Must Be Removed Immediately

The polyfill.io domain, which used to be the source for a library that helps resolve inconsistencies across different browsers, has been purchased by the Chinese company Funnull in February 2024, and is now using it to inject malware into well over 100,000 websites around the world.

Some URLs that are identified as at-risk are:

  • https[:]//polyfill(.)io/v3/polyfill.min.js 
  • https[:]//cdn(.)polyfill(.)io/v2/polyfill.min.js 
  • https[:]//cdn(.)polyfill(.)io/v3/polyfill.min.js 
  • https[:]//polyfill(.)io/v3/polyfill.js 
  • https[:]//cdn(.)polyfill(.)io/v2/polyfill.js 
  • https[:]//cdn(.)polyfill(.)io/v1/polyfill.min.js 
  • https[:]//polyfill(.)io/v2/polyfill.min.js 
  • https[:]//cdn(.)polyfill(.)io/v3/polyfill.js 
  • https[:]//polyfill(.)io/v2/polyfill.js

This malicious code will only trigger under certain circumstances, which appears to be an attempt at avoiding detection by security scanners, administrators, and more. The code will redirect a User to gambling and adult-based websites at certain times of day or appear as friendly Google Analytics links which in turn are phishing sites. 

Current Risk Level of This Exploit

Thankfully, the Polyfill.io domain has been taken offline by Namecheap as of June 27th, but this is not a permanent solution as it could be back online again in the future. You can validate a site is dependent on this library by reviewing console output:

To offer further protection, browser extensions such as uBlock are blocking this domain as well, which helps, but a permanent solution is needed.

How to Protect Your Site

Polyfill.io must be removed immediately, and Cloudflare has been good enough to host a safe alternative, which is located at the following URLs:

If you're already a Cloudflare customer, you can just log in to your zone and apply the change under Security -> Settings. Free customers will have the rewrite applied automatically. 

Our team found no issues with the new library and have since deployed to all affected projects.