Polyfill.io supply‑chain incident: what happened

In the past few days a supply‑chain incident involving Polyfill.io disrupted a large number of websites. Polyfill.io, a service that delivers small JavaScript polyfills to add missing browser features, allegedly distributed suspicious code that injected into many sites. Some reports estimate the impact reached more than 100,000 domains. Operators and investigators took the Polyfill.io domain offline while they responded.

How Cloudflare responded

Cloudflare moved quickly to reduce exposure. The company replaced references to Polyfill.io with a secure mirror served through cdnjs and has said it never recommended Polyfill.io. Cloudflare’s action reduced the risk of further automatic propagation through CDNs and reverse proxies.

Polyfill.io’s response and ownership concerns

Polyfill.io has publicly disputed the allegations. At the same time, reporting shows the project was in the process of being acquired by a Chinese firm, which raised additional concern because of that buyer’s reported ties to the Chinese government. Polyfill.io’s public statement is here: https://twitter.com/Polyfill_Global/status/1805923380857897277.

Who this affects

We do not use Polyfill.io, so our systems were not directly dependent on it. However, sites that relied on CDNs, reverse proxies, or other intermediaries sometimes received Polyfill.io assets even if the site owner never included them directly. That’s why some organizations saw collateral impact despite not calling Polyfill.io in their own code.

What you should do now

Remove any references to Polyfill.io from your projects and replace them with a trusted alternative. Cloudflare’s cdnjs mirror offers a non‑breaking option that serves the same polyfill content. Also audit other third‑party front‑end dependencies, and prefer self‑hosting critical libraries or pinning and hosting copies you control when practical.

Offer of help and next steps

If you want assistance locating or replacing Polyfill.io references, or if you’d like a broader audit of third‑party scripts and CDNs, we can help. We will continue to monitor the situation and share verified updates as more information becomes available

The post Breaking News: Web Service Scandal Unfolds with Polyfill.io and Cloudflare appeared first on Tarheel Media Digital Marketing.

Let’s Encrypt, a trusted provider of free SSL certificates, has been issuing certificates through two chains: the ISRG Root X1 chain and the ISRG Root X1 chain cross-signed by IdenTrust’s DST Root CA X3. The cross-signed chain has been crucial in ensuring widespread trust for Let’s Encrypt certificates across various devices.

However, Let’s Encrypt is now making a vital change that may affect the compatibility of these certificates. Specifically, they are removing the root from the trust store, which could result in older devices – such as those running Android 7 – being unable to use or trust these certificates.

This change is significant as it may impact the security and accessibility of websites, especially for users accessing them from devices that rely on the now-unsupported chain. We understand the importance of ensuring seamless browsing experiences for all users, which is why we want to bring this update to your attention.

As your trusted web development partner, we are here to assist you in navigating through these changes. If you have any concerns or questions regarding your SSL certificates and their compatibility, please don’t hesitate to reach out to us. Our team is dedicated to ensuring that your websites remain secure and functional for all users, regardless of device compatibility challenges.

We appreciate your attention to this matter and your continued trust in Tarheel Media for your web development needs.

The post Important Update: Let’s Encrypt SSL Certificate Changes Affecting Device Compatibility appeared first on Tarheel Media Digital Marketing.