In a recent turn of events, the web development community has been rocked by a scandal involving Polyfill.io, a popular JavaScript library service, and Cloudflare, the renowned content delivery network. The controversy erupted when Polyfill.io was accused of distributing suspicious code across the internet, leading to its domain being shut down.
Polyfill.io, known for providing polyfills—bits of JavaScript code that add functionality to older browsers—came under fire after allegations surfaced that it was involved in a supply-chain attack. This attack reportedly affected over 100,000 websites, injecting malicious JavaScript code that could potentially harm users’ browsing experiences.
Cloudflare, in response to the growing concerns, took swift action by automatically replacing links to Polyfill.io with their own secure mirror under cdnjs. This move was aimed at safeguarding the internet and mitigating the risk of further supply chain attacks. Cloudflare has also emphasized that they never recommended Polyfill.io’s service and have distanced themselves from the embattled service provider.
As the situation unfolds, we want to assure our customers that we do not utilize Polyfill.io, thus avoiding any direct impact from this scandal. However, we recognize that some of our clients who used Cloudflare’s reverse proxy services may have experienced issues due to Cloudflare’s use of Polyfill.io. We are actively working with our clients to address any concerns and ensure their web services remain secure and reliable.
While PolyFill.io claims they are being defamed, it is important to note that the Chinese company that has acquired PolyFill.io is owned by the CCP.
Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website,
but no one would do this as it would be jeopardize our own reputation.We have already…
— Polyfill (@Polyfill_Global) June 26, 2024
This incident serves as a stark reminder of the importance of vigilance in web security and the potential vulnerabilities within the supply chain. We remain committed to providing our users with the latest updates on this story as it develops.
For those affected, the best course of action is to remove any references to Polyfill.io from your projects and replace them with a secure alternative. Cloudflare’s mirror, for instance, offers a non-breaking change as it serves the same polyfill content.
Stay tuned for more updates on this developing story.
For more information on the ongoing situation and how it may affect your web services, please refer to the detailed reports and analyses provided by The Register, Cloudflare’s official blog, and other reputable sources.