More 110 thousand sites using an open JavaScript library Polyfill to ensure compatibility with older versions of browsers, became a victim malicious changes made to the library code by the new owner of the project. The library, uploaded to sites via the cdn.polyfill.io domain, had malicious code embedded that redirects the user to fraudulent sites (for example, googie-anaiytics.com), bookmakers and online casinos.
The Polyfill project in February was sold Funnull company from China, which gained access to a GitHub account and the polyfill.io website. A few months after the acquisition, the new owner organized a fraudulent monetization scheme involving redirecting some users to dubious sites. The redirection worked with some probability, at certain hours and subject to conditions such as opening the site from a mobile phone and the absence of Cookies, signaling that the page was opened by the site administrator. When web analytics systems were detected on a site, the redirect was delayed for several seconds so as not to appear in the statistics of such systems.
It is noteworthy that the new owner deletes from GitHub any complaints indicating suspicious activity or a change in ownership, and apparently hopes that users will consider the automatic transition to be an initiative of the authors of the sites they initially open.
Polyfill users are advised to remove the code for loading the library via the cdn.polyfill.io host as soon as possible. It is noted that in modern realities there is no longer a need for Polyfill, since all major browsers adequately support the Web API (Polyfill dynamically evaluates the current browser by the User Agent header and, for outdated browsers, generates functions with the implementation of missing methods, properties and APIs).
Those who still need Polyfill can take advantage of library options distributed by companies Fastly And Cloudflareor can use a local copy on their server based on the code from repository with fork, created by the original author of the project. The mirrors were created in February due to doubts about the trustworthiness of the new owner of the polyfill.io domain.
Thanks for reading: