Polyfill.io CDN served malicious redirects

Polyfill.io was a runtime dependency rather than a package installation. Websites embedded a script URL so older browsers could receive compatibility code on demand. That meant the service owner could change what users received without site operators changing their own source.

After the domain changed hands, researchers observed the CDN serving suspicious JavaScript to selected clients. The malicious behavior was dynamic, based on request context such as headers and device traits. Sansec and The Register described mobile-user redirection through fake analytics-style domains toward scam or gambling destinations.

The incident was not a compromise of the original open-source polyfill project so much as a hostile change in the delivery authority for a widely embedded CDN domain. Andrew Betts, the original project creator, had already warned that the domain transfer created supply-chain risk and advised site owners to remove the dependency.

The practical guidance was simple: stop loading scripts from polyfill.io. Cloudflare and Fastly offered safer mirrors for temporary compatibility, and Google warned advertisers whose sites still embedded impacted third-party library URLs. The count of affected websites was exposure, not a count of confirmed exploited visitors.

Motive

Malicious

Attribution

Group

Cause

Domain Acquisition

Transitive

Yes

Actor

Third Party

User Impact

100000

• GitHub Advisory GHSA-6p56-6fvv-f2p2github.com
• Remove Polyfill.io code from your website immediatelytheregister.com
• Polyfill supply chain attack hits 100K+ sitessansec.io