blog.cloudflare.com Open in urlscan Pro
2606:4700::6812:1c07  Public Scan

URL: https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet
Submission: On June 28 via manual from GB — Scanned from GB

Form analysis 1 forms found in the DOM

<form id="mktoForm_1653" __bizdiag="96619420" __biza="W___">
  <div class="top-subscribe-form-container">
    <div class="top-subscribe-form-field"><input placeholder="Email Address" class="top-subscribe-form-input" name="email" type="email"></div><button class="top-subscribe-form-button" type="button">Subscribe</button>
  </div>
</form>

Text Content

Get Started Free|Contact Sales


THE CLOUDFLARE BLOG

Subscribe to receive notifications of new posts:


Subscribe
All Posts
Product News
Speed & Reliability
Security
Zero Trust
Developers
AI
Policy
Partners
Life at Cloudflare
All Posts
Product News
Speed & Reliability
Security
Zero Trust
Developers
AI
Policy
Partners
Life at Cloudflare



AUTOMATICALLY REPLACING POLYFILL.IO LINKS WITH CLOUDFLARE’S MIRROR FOR A SAFER
INTERNET

06/26/2024

 * Matthew Prince
 * John Graham-Cumming
 * Michael Tremante

6 min read

polyfill.io, a popular JavaScript library service, can no longer be trusted and
should be removed from websites.

Multiple reports, corroborated with data seen by our own client-side security
system, Page Shield, have shown that the polyfill service was being used, and
could be used again, to inject malicious JavaScript code into users’ browsers.
This is a real threat to the Internet at large given the popularity of this
library.

We have, over the last 24 hours, released an automatic JavaScript URL rewriting
service that will rewrite any link to polyfill.io found in a website proxied by
Cloudflare to a link to our mirror under cdnjs. This will avoid breaking site
functionality while mitigating the risk of a supply chain attack.

Any website on the free plan has this feature automatically activated now.
Websites on any paid plan can turn on this feature with a single click.

You can find this new feature under Security ⇒ Settings on any zone using
Cloudflare.

Contrary to what is stated on the polyfill.io website, Cloudflare has never
recommended the polyfill.io service or authorized their use of Cloudflare’s name
on their website. We have asked them to remove the false statement, and they
have, so far, ignored our requests. This is yet another warning sign that they
cannot be trusted.

If you are not using Cloudflare today, we still highly recommend that you remove
any use of polyfill.io and/or find an alternative solution. And, while the
automatic replacement function will handle most cases, the best practice is to
remove polyfill.io from your projects and replace it with a secure alternative
mirror like Cloudflare’s even if you are a customer.

You can do this by searching your code repositories for instances of polyfill.io
and replacing it with cdnjs.cloudflare.com/polyfill/ (Cloudflare’s mirror). This
is a non-breaking change as the two URLs will serve the same polyfill content.
All website owners, regardless of the website using Cloudflare, should do this
now.


HOW WE CAME TO THIS DECISION

Back in February, the domain polyfill.io, which hosts a popular JavaScript
library, was sold to a new owner: Funnull, a relatively unknown company. At the
time, we were concerned that this created a supply chain risk. This led us to
spin up our own mirror of the polyfill.io code hosted under cdnjs, a JavaScript
library repository sponsored by Cloudflare.

The new owner was unknown in the industry and did not have a track record of
trust to administer a project such as polyfill.io. The concern, highlighted even
by the original author, was that if they were to abuse polyfill.io by injecting
additional code to the library, it could cause far-reaching security problems on
the Internet affecting several hundreds of thousands websites. Or it could be
used to perform a targeted supply-chain attack against specific websites.

Unfortunately, that worry came true on June 25, 2024, as the polyfill.io service
was being used to inject nefarious code that, under certain circumstances,
redirected users to other websites.

We have taken the exceptional step of using our ability to modify HTML on the
fly to replace references to the polyfill.io CDN in our customers’ websites with
links to our own, safe, mirror created back in February.

In the meantime, additional threat feed providers have also taken the decision
to flag the domain as malicious. We have not outright blocked the domain through
any of the mechanisms we have because we are concerned it could cause widespread
web outages given how broadly polyfill.io is used with some estimates indicating
usage on nearly 4% of all websites.


CORROBORATING DATA WITH PAGE SHIELD

The original report indicates that malicious code was injected that, under
certain circumstances, would redirect users to betting sites. It was doing this
by loading additional JavaScript that would perform the redirect, under a set of
additional domains which can be considered Indicators of Compromise (IoCs):

https://www.googie-anaiytics.com/analytics.js
https://www.googie-anaiytics.com/html/checkcachehw.js
https://www.googie-anaiytics.com/gtags.js
https://www.googie-anaiytics.com/keywords/vn-keyword.json
https://www.googie-anaiytics.com/webs-1.0.1.js
https://www.googie-anaiytics.com/analytics.js
https://www.googie-anaiytics.com/webs-1.0.2.js
https://www.googie-anaiytics.com/ga.js
https://www.googie-anaiytics.com/web-1.0.1.js
https://www.googie-anaiytics.com/web.js
https://www.googie-anaiytics.com/collect.js
https://kuurza.com/redirect?from=bitget


(note the intentional misspelling of Google Analytics)

Page Shield, our client side security solution, is available on all paid plans.
When turned on, it collects information about JavaScript files loaded by end
user browsers accessing your website.

By looking at the database of detected JavaScript files, we immediately found
matches with the IoCs provided above starting as far back as 2024-06-08 15:23:51
(first seen timestamp on Page Shield detected JavaScript file). This was a clear
indication that malicious activity was active and associated with polyfill.io.


REPLACING INSECURE JAVASCRIPT LINKS TO POLYFILL.IO

To achieve performant HTML rewriting, we need to make blazing-fast HTML
alterations as responses stream through Cloudflare’s network. This has been made
possible by leveraging ROFL (Response Overseer for FL). ROFL powers various
Cloudflare products that need to alter HTML as it streams, such as Cloudflare
Fonts, Email Obfuscation and Rocket Loader

ROFL is developed entirely in Rust. The memory-safety features of Rust are
indispensable for ensuring protection against memory leaks while processing a
staggering volume of requests, measuring in the millions per second. Rust's
compiled nature allows us to finely optimize our code for specific hardware
configurations, delivering performance gains compared to interpreted languages.

The performance of ROFL allows us to rewrite HTML on-the-fly and modify the
polyfill.io links quickly, safely, and efficiently. This speed helps us reduce
any additional latency added by processing the HTML file.

If the feature is turned on, for any HTTP response with an HTML Content-Type, we
parse all JavaScript script tag source attributes. If any are found linking to
polyfill.io, we rewrite the src attribute to link to our mirror instead. We map
to the correct version of the polyfill service while the query string is left
untouched.

The logic will not activate if a Content Security Policy (CSP) header is found
in the response. This ensures we don’t replace the link while breaking the CSP
policy and therefore potentially breaking the website.


DEFAULT ON FOR FREE CUSTOMERS, OPTIONAL FOR EVERYONE ELSE

Cloudflare proxies millions of websites, and a large portion of these sites are
on our free plan. Free plan customers tend to have simpler applications while
not having the resources to update and react quickly to security concerns. We
therefore decided to turn on the feature by default for sites on our free plan,
as the likelihood of causing issues is reduced while also helping keep safe a
very large portion of applications using polyfill.io.

Paid plan customers, on the other hand, have more complex applications and react
quicker to security notices. We are confident that most paid customers using
polyfill.io and Cloudflare will appreciate the ability to virtually patch the
issue with a single click, while controlling when to do so.

All customers can turn off the feature at any time.

This isn’t the first time we’ve decided a security problem was so widespread and
serious that we’d enable protection for all customers regardless of whether they
were a paying customer or not. Back in 2014, we enabled Shellshock protection
for everyone. In 2021, when the log4j vulnerability was disclosed we rolled out
protection for all customers.


DO NOT USE POLYFILL.IO

If you are using Cloudflare, you can remove polyfill.io with a single click on
the Cloudflare dashboard by heading over to your zone ⇒ Security ⇒ Settings. If
you are a free customer, the rewrite is automatically active. This feature, we
hope, will help you quickly patch the issue.

Nonetheless, you should ultimately search your code repositories for instances
of polyfill.io and replace them with an alternative provider, such as
Cloudflare’s secure mirror under cdnjs (https://cdnjs.cloudflare.com/polyfill/).
Website owners who are not using Cloudflare should also perform these steps.

The underlying bundle links you should use are:

For minified: https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js
For unminified: https://cdnjs.cloudflare.com/polyfill/v3/polyfill.js

Doing this ensures your website is no longer relying on polyfill.io.

We protect entire corporate networks, help customers build Internet-scale
applications efficiently, accelerate any website or Internet application, ward
off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero
Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your
Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If
you're looking for a new career direction, check out our open positions.
Discuss on Hacker News
CDNJSJavaScriptVulnerabilitiesApplication SecurityApplication ServicesSupply
Chain AttacksAttacksBetter Internet

Follow on X

Matthew Prince|@eastdakota
Michael Tremante|@MichaelTremante
Cloudflare|@cloudflare

Related posts

February 29, 2024 5:51 PM


POLYFILL.IO NOW AVAILABLE ON CDNJS: REDUCE YOUR SUPPLY CHAIN RISK

Polyfill.io is now available on cdnjs to reduce the risk of supply chain
attacks. Replace your polyfill.io links today for a seamless experience...

   By 
 * Sven Sauleau, 
 * Michael Tremante

CDNJS, JavaScript, Supply Chain Attacks 

October 13, 2021 1:59 PM


COALESCING CONNECTIONS TO IMPROVE NETWORK PRIVACY AND PERFORMANCE

Real world experiments for evaluating connection coalescing effects....

   By 
 * Talha Paracha, 
 * Suleman Ahmad

Research, Privacy, Performance, Browser Insights, Better Internet, CDNJS 

July 24, 2021 1:57 PM


CLOUDFLARE'S HANDLING OF AN RCE VULNERABILITY IN CDNJS

Recently, a RCE vulnerability in the way cdnjs’ backend is automatically keeping
web resources up to date has been disclosed. Read about how Cloudflare handled
the security incident and what will prevent similar exploits in the future....

   By 
 * Jonathan Ganz, 
 * Thomas Calderon, 
 * Sven Sauleau

CDNJS, Security, Bug Bounty 

September 10, 2020 12:00 PM


MIGRATING CDNJS TO SERVERLESS WITH WORKERS KV

Cloudflare powers cdnjs, an open-source project that delivers popular JavaScript
libraries to over 11% of websites. Today, we are excited to announce its
migration to a serverless infrastructure using Cloudflare Workers and its
distributed key-value store Workers KV!...

   By 
 * Tyler Caslin

CDNJS, Cloudflare Workers KV, Open Source, Speed & Reliability, Serverless 
 * Getting Started
 * Free plans
 * For enterprises
 * Compare plans
 * Get a recommendation
 * Request a demo
 * Contact Sales

 * Resources
 * Learning Center
 * Analyst reports
 * Cloudflare Radar
 * Cloudflare TV
 * Case Studies
 * Webinars
 * White Papers
 * Developer docs
 * theNet

 * Solutions
 * Connectivity cloud
 * SSE and SASE services
 * Application services
 * Network services
 * Developer services

 * Community
 * Community Hub
 * Project Galileo
 * Athenian Project
 * Cloudflare for Campaigns
 * Critical Infrastructure Defense Project
 * Connect 2024

 * Support
 * Help center
 * Cloudflare Status
 * Compliance
 * GDPR
 * Trust & Safety

 * Company
 * About Cloudflare
 * Our team
 * Investor relations
 * Press
 * Careers
 * Diversity, equity & inclusion
 * Impact/ESG
 * Network Map
 * Logos & press kit
 * Become a partner

© 2024 Cloudflare, Inc. | Privacy Policy | Terms of Use | Report Security Issues
|Cookie Preferences| Trademark





OUR SITE USES COOKIES

Like most websites, we use cookies to make our site work the way you expect it
to, improve your experience on our site, analyze site usage, and assist in our
marketing efforts. By choosing "Accept All Cookies", you agree to the storing of
all categories of cookies on your device. If you wish to accept or reject some
categories of cookies, please click “Cookie Preferences.”
Cookie Preferences Reject All Accept All Cookies



YOUR COOKIE OPTIONS

Cloudflare uses four types of cookies as described below. You can decide which
categories of cookies you wish to accept to improve your experience on our
website. To learn more about the cookies we use on our site, please read our
Cookie Policy.
Cloudflare's Cookie Policy
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

Strictly Necessary cookies are essential to our website functioning as expected.
You cannot turn off Strictly Necessary cookies because they are required to
deliver security, enable core site functionality, and help you use our site's
features and services as you would expect (including remembering your cookie
consent preferences). Cloudflare does not use these cookies to track individuals
across websites.

Cookies Details‎

FUNCTIONAL COOKIES

Functional Cookies

Functional cookies allow us to remember choices you make about the kind of
experience you want on our site and to provide you with a more personalized
experience. For example, a functional cookie is required to remember which
language you prefer.

Cookies Details‎

PERFORMANCE COOKIES

Performance Cookies

Performance cookies help us learn how you use our website to help improve its
performance and design. These cookies provide us with aggregated statistical
information such as number of page visits, page load speeds, how long a user
spends on a particular page, and the types of browsers or devices used to access
our site.

Cookies Details‎

TARGETING COOKIES

Targeting Cookies

We use Targeting cookies to deliver advertisements relevant to you and your
interests when you visit other websites that host advertisements.

Cookies Details‎
Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices