Name: MLW & Associates, LLC DBA Tarheel Media
Price range: $$

Ryazan, Russia – June 17, 2018: Homepage of CloudFlare website on the display of PC, url – CloudFlare.com.

By Mike W.Categories: Security BulletinTags: browser compatibility, CDNJS, Cloudflare, code injection, code integrity, content delivery network, Cybersecurity, data breach, internet safety, JavaScript library, malicious script, online trust, Polyfill.io, reverse proxy, script replacement, secure browsing, SEO optimization, supply chain attack, tech scandal, User experience, web development, web security, web services, Website performance, Website protectionComments Off

Polyfill.io supply‑chain incident: what happened

In the past few days a supply‑chain incident involving Polyfill.io disrupted a large number of websites. Polyfill.io, a service that delivers small JavaScript polyfills to add missing browser features, allegedly distributed suspicious code that injected into many sites. Some reports estimate the impact reached more than 100,000 domains. Operators and investigators took the Polyfill.io domain offline while they responded.

How Cloudflare responded

Cloudflare moved quickly to reduce exposure. The company replaced references to Polyfill.io with a secure mirror served through cdnjs and has said it never recommended Polyfill.io. Cloudflare’s action reduced the risk of further automatic propagation through CDNs and reverse proxies.

Polyfill.io’s response and ownership concerns

Polyfill.io has publicly disputed the allegations. At the same time, reporting shows the project was in the process of being acquired by a Chinese firm, which raised additional concern because of that buyer’s reported ties to the Chinese government. Polyfill.io’s public statement is here: https://twitter.com/Polyfill_Global/status/1805923380857897277.

Who this affects

We do not use Polyfill.io, so our systems were not directly dependent on it. However, sites that relied on CDNs, reverse proxies, or other intermediaries sometimes received Polyfill.io assets even if the site owner never included them directly. That’s why some organizations saw collateral impact despite not calling Polyfill.io in their own code.

What you should do now

Remove any references to Polyfill.io from your projects and replace them with a trusted alternative. Cloudflare’s cdnjs mirror offers a non‑breaking option that serves the same polyfill content. Also audit other third‑party front‑end dependencies, and prefer self‑hosting critical libraries or pinning and hosting copies you control when practical.

Offer of help and next steps

If you want assistance locating or replacing Polyfill.io references, or if you’d like a broader audit of third‑party scripts and CDNs, we can help. We will continue to monitor the situation and share verified updates as more information becomes available

Security Bulletin

Email Phishing Alert
This morning after a report made by a customer, we have concluded that there is a wide-spread attempt to exploit login credentials from users of WordPress sites that are using their email address as their username (which is the default for any kind of 3rd party login).

Continue reading
Email Systems, Security Bulletin, Tech News

FBI WARNING: Dangerous new email scam
We issued a security bulletin back in October of 2023 which covered one of our customers who had their Microsoft account and emails compromised which [...]

Continue reading
Company News, Security Bulletin, Service Updates, Web Design, Web Development, Website Security

Important Update: Let’s Encrypt SSL Certificate Changes Affecting Device Compatibility
At Tarheel Media, we prioritize the security and functionality of your websites. That’s why we’re reaching out to inform you of an upcoming change that [...]

Continue reading

Security Bulletin

Email Phishing Alert
This morning after a report made by a customer, we have concluded that there is a wide-spread attempt to exploit login credentials from users of WordPress sites that are using their email address as their username (which is the default for any kind of 3rd party login).

Continue reading
Email Systems, Security Bulletin, Tech News

FBI WARNING: Dangerous new email scam
We issued a security bulletin back in October of 2023 which covered one of our customers who had their Microsoft account and emails compromised which [...]

Continue reading

featured SERVICES

Web Design & Development

Data Solutions & Hosting

Digital Marketing & SEO

Branding

Other Services

Photography

Consulting & Contracts

Switchboard Services

View All Services

featured SERVICES

Web Design & Development

Data Solutions & Hosting

Digital Marketing & SEO

Branding

Other Services

Photography

Consulting & Contracts

Switchboard Services

View All Services

Breaking News: Web Service Scandal Unfolds with Polyfill.io and Cloudflare

Breaking News: Web Service Scandal Unfolds with Polyfill.io and Cloudflare

Polyfill.io supply‑chain incident: what happened

How Cloudflare responded

Polyfill.io’s response and ownership concerns

Who this affects

What you should do now

Offer of help and next steps

About Tarheel Media

CONTACT

AWARDS

PARTNERS

LOCAL

DOCS

COMPANY

Title

CAN’T FIND WHAT YOU NEED?

Cookies

Embedding