Polyfill.io, a Javascript library, has been compromised thats been used by over 100,000 sites, including Disney-owned streaming service Hulu.
Once the domain has been compromised, it is used to redirect visitors to undesired sites. These redirects only occur at certain times and on devices that meet certain conditions.
Google sent out a notification to affected site owners summarizing the security issue and noting that specific third-party libraries like Polyfill.io can sometimes redirect visitors away from the intended website without the website owner’s knowledge or permission.
Cloudflare similarly states that the Polyfill.io domain can not be trusted and has shared a solution for any domain Cloudflare proxies. The Polyfill domain in question is falsely stating that Cloudflare recommends them when it never has.
The Polyfill domain was reportedly sold to a Chinese company, dubbed Funnull, back in February. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords, and credit card information directly as users enter the information in the web browser.
Even Polyfill’s original creator Andrew Betts—who says he is no longer working on Polyfill and was not responsible for its Funnull sale—is telling sites to drop Polyfill.io. “Remove it IMMEDIATELY,” Betts writes in a post.
