What Happened When a Polyfill CDN Was Hijacked? Lessons for Secure Web Development

On June 25, 2024, the Sansec security research team disclosed a severe cyber‑security incident: a widely used JavaScript polyfill project was taken over by a foreign actor believed to be based in China. The attacker injected malicious code into the JavaScript resources distributed via the cdn.polyfill.io CDN, causing browsers to redirect users to gambling sites. Sansec estimates that more than 100,000 websites were affected, including publicly listed companies such as Intuit.

Andrew Betts, the founder of the polyfill service, issued a statement in February confirming that he was not involved in the official operation of cdn.polyfill.io.

Cloudflare now automatically replaces polyfill.io links with safe mirrors. Google has warned advertisers that their landing pages contain malicious code that may redirect visitors without the site owner's knowledge. Google also noted that services such as Bootcss, Bootcdn, and Staticfile have been observed causing similar unwanted redirects, potentially affecting thousands to hundreds of thousands of sites in supply‑chain attacks. The offending code appears to originate from several third‑party resource providers, including Polyfill.io, Bootcss.com, Bootcdn.net, and Staticfile.org.

GitHub has issued warnings about the compromised repository.

Polyfill Overview

A polyfill is a browser compatibility technique that allows developers to use modern JavaScript APIs while ensuring those APIs work in older browsers. It acts as a bridge between new and legacy technologies, providing a consistent user experience across different browsers.

In the early days of web development, varying browser update cycles caused compatibility headaches. Polyfills supply missing API support—for example, Array.prototype.includes or Promise —enabling modern features to run in browsers like Internet Explorer that lack native implementations.

CDN Use in Polyfills

Content Delivery Networks (CDNs) are globally distributed server systems that deliver content based on user location, optimizing load speed and performance. In the realm of JavaScript polyfills, CDNs are crucial for ensuring that polyfill libraries are quickly and reliably accessible worldwide.

Benefits of using a CDN include reduced latency, faster loading times, and avoiding bundling large JavaScript libraries directly into applications. Services such as Google Analytics also recommend loading scripts via CDN.

Security Risks of CDN‑Hosted Polyfills

Hosting polyfills on a CDN introduces significant security risks, especially the possibility of executing arbitrary JavaScript code, which is commonly regarded as a cross‑site scripting (XSS) attack vector.

When an application depends on a CDN‑served polyfill, it inherits the security posture of that CDN. If the CDN or the hosted library is compromised, malicious code can be injected and executed, leading to phishing redirects, data theft, or malware distribution.

Preventing CDN Supply‑Chain Attacks

Use reputable CDN providers such as Cloudflare, which offer strong security measures and reliability.

Regularly audit and monitor all third‑party scripts and dependencies.

Leverage Subresource Integrity (SRI) to verify that CDN‑delivered content has not been tampered with.

Implement Content Security Policy (CSP) to restrict script sources and block malicious execution.

Keep all libraries and dependencies up to date to patch known vulnerabilities.

Assess whether polyfills are truly needed; modern browsers now support many features natively, reducing reliance on third‑party CDNs.