Multiple reports of malicious activity have led to the polyfill.io domain being suspended on Wednesday and the Chinese owner of the domain fuming over so-called “malicious defamation”.
The domain was used to host polyfills, small bits of JavaScript code that provided older browsers with modern functionality and expanded websites’ compatibility without additional work from developers.
Polyfill has been around for over a decade, and earlier this week there were over 100,000 websites automatically loading and executing code from polyfill.io in visitors’ browsers.
In February 2024, the original project developer cast doubt on the legitimacy of the service, as the polyfill.io domain had just been purchased by a Chinese firm, while also underlining that Polyfill was no longer needed in modern browsers, despite its wide use.
Potentially malicious behavior associated with polyfill.io was first reported several weeks ago on the project’s GitHub page, but the new owner, a Chinese content delivery network (CDN) company named Funnull, quickly deleted the posts.
This week, however, the bubble burst, after security researchers raised the alarm on malicious behavior associated with ‘cdn.polyfill.io’: visitors of the websites containing its code were being redirected to sports betting and adult sites, and the code exhibited various evasion techniques.
In the light of major supply chain incidents such as the XZ Utils backdoor, the industry reacted promptly: Google warned advertisers of the malicious redirects, uBlock Origin started blocking polyfill.io, and Namecheap suspended the domain.
Shortly after the reports came in, Cloudflare began automatically rewriting links to polyfill.io on websites proxied through its infrastructure, directing them to its own polyfill mirror.
“This will avoid breaking site functionality while mitigating the risk of a supply chain attack,” Cloudflare explained.
The Polyfill service was moved to polyfill.com, but that domain appears to have been blocked as well.
Funnull reacted as well, saying there was no supply chain risk and claiming that the reports were nothing more than slander and malicious defamation, and that its services are cached in Cloudflare, although the web security firm made it clear that it did not “authorized their use of Cloudflare’s name on their website”.
“Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize our own reputation,” the company posted on X.
“I have had enough of Cloudflare’s repeated, baseless, and malicious defamation. Their unethical strategy of suppressing competition before promoting their own products is deplorable. Moving forward, I will be fully dedicated to developing a global CDN product that surpasses Cloudflare,” it said in another post.
The company claims to have received $50 million in funding that will go towards improving the services, but various security veterans and software engineers reacted to the company’s posts, calling it out for making false statements and for copying the descriptions of legitimate services as their own.
Funnull appears to be owned by the Chinese-language firm ACB Group, but its actual location is unclear. The CDN claims to be from Slovenia with US ties, its X account claims to be from the UK, has a contact number in the Philippines, and uses Mandarin, suggesting at least some connections with China.
Related: Polyfill Supply Chain Attack Hits Over 100k Websites
Related: Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report
Related: Top Python Developers Hacked in Sophisticated Supply Chain Attack
Related: UK, Korea Warn of DPRK Supply Chain Attacks Involving Zero-Day Flaws
