Supply Chain Attackshigh

Polyfill.io CDN Hijack: 100,000 Websites Serve Malicious JavaScript After Domain Sale

A Chinese company purchased the polyfill.io domain and CDN service. Within weeks, it was serving malicious JavaScript to 100,000 websites that had embedded the script to support older browsers.

polyfill.io / 100,000 Websites·2024·2 min read

Attack Chain

  1. 1
    Polyfill.io domain purchased
  2. 2
    JavaScript payload injected
  3. 3
    100K+ sites serve malware
  4. 4
    Users redirected to scam sites
  5. 5
    Campaign detected and domain taken down

Background

polyfill.io was a widely used service that served JavaScript "polyfills" — code that gives older browsers modern web features. Website developers included a simple script tag pointing to cdn.polyfill.io to automatically serve the right polyfills for each visitor's browser. An estimated 100,000 websites had embedded this CDN link.

The Attack

In February 2024, the polyfill.io domain was sold to a Chinese company called Funnull. By June 2024, security researchers at Sansec discovered that the CDN was serving JavaScript that redirected mobile users to fraudulent websites and gambling scams, specifically targeting users on mobile devices during certain times of day. The malicious script analysed the user's device type, time zone, and browsing context before deciding whether to activate — making it hard to detect in developer testing, which typically runs on desktops.

Response

Google began blocking ads on websites using polyfill.io once the malicious behaviour was confirmed. CDN providers Cloudflare and Fastly set up mirror services. The original polyfill.io GitHub repository owner (Andrew Betts) published a statement urging all websites to remove the CDN link. Major websites scrambled to remove the script tag.

Outcome

The attack affected an estimated 100,000 websites, serving malicious code to their combined visitor base of millions. The incident illustrated the risk of embedding third-party JavaScript from CDNs that can change ownership without notice. Andrew Betts, who had created the polyfill service, had never owned the polyfill.io domain — it had been registered independently.

Key Takeaways

  1. Never embed third-party JavaScript CDNs without Subresource Integrity (SRI) hashes that lock the exact content
  2. Domain ownership of CDN services can change — remove dependencies on CDNs you do not control or cannot audit
  3. Self-host critical JavaScript dependencies or use CDNs with transparent ownership and security policies
  4. CDN scripts have access to your users' browsers — they are one of the highest-risk third-party dependencies

How to Prevent This

All guides
beginner

Implement Subresource Integrity for all externally hosted JavaScript

Subresource Integrity (SRI) is an HTML attribute that locks a script tag to a specific cryptographic hash of the file — if the CDN serves a modified version, the browser refuses to execute it. The polyfill.io CDN hijack in 2024 served malicious JavaScript to 100,000 websites because none of them had SRI hashes on their polyfill script tags. A single attribute (<script src="..." integrity="sha384-..."> ) would have protected every affected website. Apply SRI hashes to every externally-loaded JavaScript and CSS file. Self-host critical JavaScript dependencies where possible.

See: Polyfill.io CDN HijackData Protection
CDN hijackJavaScript injectionpolyfilldomain saleSRI

More in Supply Chain Attacks

2020critical

SolarWinds Supply Chain Attack

2 min readSupply Chain Attacks
2017critical

CCleaner Backdoor: 2.27 Million Downloads Infected via Legitimate Software Update

2 min readSupply Chain Attacks
2018high

EventStream npm: Malicious Code Buried in Dependency Targets Bitcoin Wallet

2 min readSupply Chain Attacks