blog.cloudflare.com
Open in
urlscan Pro
2606:4700::6812:1c07
Public Scan
URL:
https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet
Submission: On June 28 via manual from GB — Scanned from GB
Submission: On June 28 via manual from GB — Scanned from GB
Form analysis
1 forms found in the DOM<form id="mktoForm_1653" __bizdiag="96619420" __biza="W___">
<div class="top-subscribe-form-container">
<div class="top-subscribe-form-field"><input placeholder="Email Address" class="top-subscribe-form-input" name="email" type="email"></div><button class="top-subscribe-form-button" type="button">Subscribe</button>
</div>
</form>
Text Content
Get Started Free|Contact Sales THE CLOUDFLARE BLOG Subscribe to receive notifications of new posts: Subscribe All Posts Product News Speed & Reliability Security Zero Trust Developers AI Policy Partners Life at Cloudflare All Posts Product News Speed & Reliability Security Zero Trust Developers AI Policy Partners Life at Cloudflare AUTOMATICALLY REPLACING POLYFILL.IO LINKS WITH CLOUDFLARE’S MIRROR FOR A SAFER INTERNET 06/26/2024 * Matthew Prince * John Graham-Cumming * Michael Tremante 6 min read polyfill.io, a popular JavaScript library service, can no longer be trusted and should be removed from websites. Multiple reports, corroborated with data seen by our own client-side security system, Page Shield, have shown that the polyfill service was being used, and could be used again, to inject malicious JavaScript code into users’ browsers. This is a real threat to the Internet at large given the popularity of this library. We have, over the last 24 hours, released an automatic JavaScript URL rewriting service that will rewrite any link to polyfill.io found in a website proxied by Cloudflare to a link to our mirror under cdnjs. This will avoid breaking site functionality while mitigating the risk of a supply chain attack. Any website on the free plan has this feature automatically activated now. Websites on any paid plan can turn on this feature with a single click. You can find this new feature under Security ⇒ Settings on any zone using Cloudflare. Contrary to what is stated on the polyfill.io website, Cloudflare has never recommended the polyfill.io service or authorized their use of Cloudflare’s name on their website. We have asked them to remove the false statement, and they have, so far, ignored our requests. This is yet another warning sign that they cannot be trusted. If you are not using Cloudflare today, we still highly recommend that you remove any use of polyfill.io and/or find an alternative solution. And, while the automatic replacement function will handle most cases, the best practice is to remove polyfill.io from your projects and replace it with a secure alternative mirror like Cloudflare’s even if you are a customer. You can do this by searching your code repositories for instances of polyfill.io and replacing it with cdnjs.cloudflare.com/polyfill/ (Cloudflare’s mirror). This is a non-breaking change as the two URLs will serve the same polyfill content. All website owners, regardless of the website using Cloudflare, should do this now. HOW WE CAME TO THIS DECISION Back in February, the domain polyfill.io, which hosts a popular JavaScript library, was sold to a new owner: Funnull, a relatively unknown company. At the time, we were concerned that this created a supply chain risk. This led us to spin up our own mirror of the polyfill.io code hosted under cdnjs, a JavaScript library repository sponsored by Cloudflare. The new owner was unknown in the industry and did not have a track record of trust to administer a project such as polyfill.io. The concern, highlighted even by the original author, was that if they were to abuse polyfill.io by injecting additional code to the library, it could cause far-reaching security problems on the Internet affecting several hundreds of thousands websites. Or it could be used to perform a targeted supply-chain attack against specific websites. Unfortunately, that worry came true on June 25, 2024, as the polyfill.io service was being used to inject nefarious code that, under certain circumstances, redirected users to other websites. We have taken the exceptional step of using our ability to modify HTML on the fly to replace references to the polyfill.io CDN in our customers’ websites with links to our own, safe, mirror created back in February. In the meantime, additional threat feed providers have also taken the decision to flag the domain as malicious. We have not outright blocked the domain through any of the mechanisms we have because we are concerned it could cause widespread web outages given how broadly polyfill.io is used with some estimates indicating usage on nearly 4% of all websites. CORROBORATING DATA WITH PAGE SHIELD The original report indicates that malicious code was injected that, under certain circumstances, would redirect users to betting sites. It was doing this by loading additional JavaScript that would perform the redirect, under a set of additional domains which can be considered Indicators of Compromise (IoCs): https://www.googie-anaiytics.com/analytics.js https://www.googie-anaiytics.com/html/checkcachehw.js https://www.googie-anaiytics.com/gtags.js https://www.googie-anaiytics.com/keywords/vn-keyword.json https://www.googie-anaiytics.com/webs-1.0.1.js https://www.googie-anaiytics.com/analytics.js https://www.googie-anaiytics.com/webs-1.0.2.js https://www.googie-anaiytics.com/ga.js https://www.googie-anaiytics.com/web-1.0.1.js https://www.googie-anaiytics.com/web.js https://www.googie-anaiytics.com/collect.js https://kuurza.com/redirect?from=bitget (note the intentional misspelling of Google Analytics) Page Shield, our client side security solution, is available on all paid plans. When turned on, it collects information about JavaScript files loaded by end user browsers accessing your website. By looking at the database of detected JavaScript files, we immediately found matches with the IoCs provided above starting as far back as 2024-06-08 15:23:51 (first seen timestamp on Page Shield detected JavaScript file). This was a clear indication that malicious activity was active and associated with polyfill.io. REPLACING INSECURE JAVASCRIPT LINKS TO POLYFILL.IO To achieve performant HTML rewriting, we need to make blazing-fast HTML alterations as responses stream through Cloudflare’s network. This has been made possible by leveraging ROFL (Response Overseer for FL). ROFL powers various Cloudflare products that need to alter HTML as it streams, such as Cloudflare Fonts, Email Obfuscation and Rocket Loader ROFL is developed entirely in Rust. The memory-safety features of Rust are indispensable for ensuring protection against memory leaks while processing a staggering volume of requests, measuring in the millions per second. Rust's compiled nature allows us to finely optimize our code for specific hardware configurations, delivering performance gains compared to interpreted languages. The performance of ROFL allows us to rewrite HTML on-the-fly and modify the polyfill.io links quickly, safely, and efficiently. This speed helps us reduce any additional latency added by processing the HTML file. If the feature is turned on, for any HTTP response with an HTML Content-Type, we parse all JavaScript script tag source attributes. If any are found linking to polyfill.io, we rewrite the src attribute to link to our mirror instead. We map to the correct version of the polyfill service while the query string is left untouched. The logic will not activate if a Content Security Policy (CSP) header is found in the response. This ensures we don’t replace the link while breaking the CSP policy and therefore potentially breaking the website. DEFAULT ON FOR FREE CUSTOMERS, OPTIONAL FOR EVERYONE ELSE Cloudflare proxies millions of websites, and a large portion of these sites are on our free plan. Free plan customers tend to have simpler applications while not having the resources to update and react quickly to security concerns. We therefore decided to turn on the feature by default for sites on our free plan, as the likelihood of causing issues is reduced while also helping keep safe a very large portion of applications using polyfill.io. Paid plan customers, on the other hand, have more complex applications and react quicker to security notices. We are confident that most paid customers using polyfill.io and Cloudflare will appreciate the ability to virtually patch the issue with a single click, while controlling when to do so. All customers can turn off the feature at any time. This isn’t the first time we’ve decided a security problem was so widespread and serious that we’d enable protection for all customers regardless of whether they were a paying customer or not. Back in 2014, we enabled Shellshock protection for everyone. In 2021, when the log4j vulnerability was disclosed we rolled out protection for all customers. DO NOT USE POLYFILL.IO If you are using Cloudflare, you can remove polyfill.io with a single click on the Cloudflare dashboard by heading over to your zone ⇒ Security ⇒ Settings. If you are a free customer, the rewrite is automatically active. This feature, we hope, will help you quickly patch the issue. Nonetheless, you should ultimately search your code repositories for instances of polyfill.io and replace them with an alternative provider, such as Cloudflare’s secure mirror under cdnjs (https://cdnjs.cloudflare.com/polyfill/). Website owners who are not using Cloudflare should also perform these steps. The underlying bundle links you should use are: For minified: https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js For unminified: https://cdnjs.cloudflare.com/polyfill/v3/polyfill.js Doing this ensures your website is no longer relying on polyfill.io. We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust. Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer. To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions. Discuss on Hacker News CDNJSJavaScriptVulnerabilitiesApplication SecurityApplication ServicesSupply Chain AttacksAttacksBetter Internet Follow on X Matthew Prince|@eastdakota Michael Tremante|@MichaelTremante Cloudflare|@cloudflare Related posts February 29, 2024 5:51 PM POLYFILL.IO NOW AVAILABLE ON CDNJS: REDUCE YOUR SUPPLY CHAIN RISK Polyfill.io is now available on cdnjs to reduce the risk of supply chain attacks. Replace your polyfill.io links today for a seamless experience... By * Sven Sauleau, * Michael Tremante CDNJS, JavaScript, Supply Chain Attacks October 13, 2021 1:59 PM COALESCING CONNECTIONS TO IMPROVE NETWORK PRIVACY AND PERFORMANCE Real world experiments for evaluating connection coalescing effects.... By * Talha Paracha, * Suleman Ahmad Research, Privacy, Performance, Browser Insights, Better Internet, CDNJS July 24, 2021 1:57 PM CLOUDFLARE'S HANDLING OF AN RCE VULNERABILITY IN CDNJS Recently, a RCE vulnerability in the way cdnjs’ backend is automatically keeping web resources up to date has been disclosed. Read about how Cloudflare handled the security incident and what will prevent similar exploits in the future.... By * Jonathan Ganz, * Thomas Calderon, * Sven Sauleau CDNJS, Security, Bug Bounty September 10, 2020 12:00 PM MIGRATING CDNJS TO SERVERLESS WITH WORKERS KV Cloudflare powers cdnjs, an open-source project that delivers popular JavaScript libraries to over 11% of websites. Today, we are excited to announce its migration to a serverless infrastructure using Cloudflare Workers and its distributed key-value store Workers KV!... By * Tyler Caslin CDNJS, Cloudflare Workers KV, Open Source, Speed & Reliability, Serverless * Getting Started * Free plans * For enterprises * Compare plans * Get a recommendation * Request a demo * Contact Sales * Resources * Learning Center * Analyst reports * Cloudflare Radar * Cloudflare TV * Case Studies * Webinars * White Papers * Developer docs * theNet * Solutions * Connectivity cloud * SSE and SASE services * Application services * Network services * Developer services * Community * Community Hub * Project Galileo * Athenian Project * Cloudflare for Campaigns * Critical Infrastructure Defense Project * Connect 2024 * Support * Help center * Cloudflare Status * Compliance * GDPR * Trust & Safety * Company * About Cloudflare * Our team * Investor relations * Press * Careers * Diversity, equity & inclusion * Impact/ESG * Network Map * Logos & press kit * Become a partner © 2024 Cloudflare, Inc. | Privacy Policy | Terms of Use | Report Security Issues |Cookie Preferences| Trademark OUR SITE USES COOKIES Like most websites, we use cookies to make our site work the way you expect it to, improve your experience on our site, analyze site usage, and assist in our marketing efforts. By choosing "Accept All Cookies", you agree to the storing of all categories of cookies on your device. If you wish to accept or reject some categories of cookies, please click “Cookie Preferences.” Cookie Preferences Reject All Accept All Cookies YOUR COOKIE OPTIONS Cloudflare uses four types of cookies as described below. You can decide which categories of cookies you wish to accept to improve your experience on our website. To learn more about the cookies we use on our site, please read our Cookie Policy. Cloudflare's Cookie Policy Allow All MANAGE CONSENT PREFERENCES STRICTLY NECESSARY COOKIES Always Active Strictly Necessary cookies are essential to our website functioning as expected. You cannot turn off Strictly Necessary cookies because they are required to deliver security, enable core site functionality, and help you use our site's features and services as you would expect (including remembering your cookie consent preferences). Cloudflare does not use these cookies to track individuals across websites. Cookies Details FUNCTIONAL COOKIES Functional Cookies Functional cookies allow us to remember choices you make about the kind of experience you want on our site and to provide you with a more personalized experience. For example, a functional cookie is required to remember which language you prefer. Cookies Details PERFORMANCE COOKIES Performance Cookies Performance cookies help us learn how you use our website to help improve its performance and design. These cookies provide us with aggregated statistical information such as number of page visits, page load speeds, how long a user spends on a particular page, and the types of browsers or devices used to access our site. Cookies Details TARGETING COOKIES Targeting Cookies We use Targeting cookies to deliver advertisements relevant to you and your interests when you visit other websites that host advertisements. Cookies Details Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices