Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove polyfill.io cheatsheet - the domain now serves malware #2145

Closed
Christopher-Hayes opened this issue Jun 26, 2024 · 0 comments · Fixed by #2146
Closed

Remove polyfill.io cheatsheet - the domain now serves malware #2145

Christopher-Hayes opened this issue Jun 26, 2024 · 0 comments · Fixed by #2146

Comments

@Christopher-Hayes
Copy link
Contributor

Description

The domain now serves a malicious script. Even before this security incident, it has been recommended that devs avoid it already.

Sources

The domain now serves malware: https://cside.dev/blog/more-than-100k-websites-targeted-in-web-supply-chain-attack

The cdn.polyfill.io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.

Similar GitHub issues discussing its removal:

Polyfill.io creator:

If your website uses polyfill.io, remove it IMMEDIATELY.
I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale.

No website today requires any of the polyfills in the polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.

- posted on X/Twitter

Solution

It's most important that cheatsheets no longer helps users install polyfill.io from a malicious domain.

However, it might be a good idea to notify users that they should no longer use polyfill.io, rather than completely removing the cheatsheet without notice.

rstacruz added a commit that referenced this issue Jun 27, 2024
A warning is added to the polyfill.io sheet in relation to the malicious
script that is now being served by polyfill.io. Removed all links to
that domain.

The code snippets have also been updated to use Cloudflare's script
instead. This allows users to keep using polyfill securely while they
move their codebase away from using this polyfill.

Cloudflare press release:
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk

Fixes #2145

---------

Co-authored-by: Rico Sta. Cruz <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant