Thousands of websites told to ditch Polyfill service after Chinese hackers hijack it to serve malware

HTTPS in a browser address bar
(Image credit: Shutterstock)

Website administrators are being urged to remove the Polyfill.io service immediately after it was found to be serving malware to site visitors.

A polyfill is a piece of code (typically JavaScript) used to provide modern functionality on older browsers that do not natively support it. The term originates from the idea of "filling in" the gaps in a browser's feature set, allowing developers to use modern web standards and APIs without worrying about compatibility issues. Polyfills enable developers to write code using the latest standards while ensuring it still works in older environments.

The Polyfill.io service is quite popular, with more than 100,000 sites using it today - and it was sold in February 2024 to a Chinese company. Back then, the project’s original owners warned its users to remove the tool immediately, since they were now susceptible to a supply chain attack. Both Cloudflare and Fastly set up their own versions of the Polyfill.io service, giving users a trusted service.

Google's warning

"No website today requires any of the polyfills in the http://polyfill.io library," tweeted the original Polyfills service project developer. "Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

Fast forward a few months, and now cybersecurity experts from Sansec are warning that polyfill was serving malware. 

"In February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," Sansec said.

Google also chimed in, notifying affected advertisers about their landing pages now possibly redirecting visitors away from their intended destination, and towards possibly malicious websites. 

"The code causing these redirects seems to be coming from a few different third-party web resource providers including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org," BleepingComputer cited an email from Google as saying.  

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.