Decipher Files: Polyfill.io and the JavaScript Supply Chain Compromise That Reached 100,000 Sites

Sansec, a Dutch e-commerce security firm, published "Polyfill supply chain attack hits 100K+ sites" on June 25, 2024 (Sansec Threat Research). The disclosure described that polyfill.io, a JavaScript library and CDN service that approximately 100,000 websites used to provide compatibility shims for older browsers, had been silently compromised after a February 2024 acquisition by a Chinese owner.

The attack pattern: when a website embedded a script tag pointing at cdn.polyfill.io (the standard usage), the polyfill.io server fingerprinted the visitor's browser. For specific browser/device combinations (mobile devices, specific user agents) and at specific times (the script avoided weekday business hours when site administrators would more likely notice), the server returned modified JavaScript that redirected the visitor to attacker-controlled gambling and adult-content sites. The attack was selective enough to evade casual detection by site operators but broad enough to monetize at scale.

The response cascade across June 25-30, 2024 was unusually fast for a supply-chain incident: - June 25, 2024 (morning): Sansec publishes the disclosure with technical analysis - June 25, 2024 (afternoon): Cloudflare announces it is automatically rewriting polyfill.io URLs to its own polyfill mirror for all customer sites - June 26, 2024: Google Search marks polyfill.io as a malicious domain in Search Console; Namecheap (the original domain registrar) takes the domain offline - June 27, 2024: Fastly publishes a free polyfill mirror as an alternative - June 28, 2024: Andrew Betts, the original creator of polyfill.io, publishes a statement clarifying that he was not involved in the post-acquisition operations and had recommended in February 2024 (after the acquisition) that sites stop using polyfill.io - June 30, 2024: BunnyCDN and other CDN providers had published similar mirror options

CISA did not publish a dedicated advisory on Polyfill (the response was sufficiently rapid through commercial channels that government coordination was not needed for incident triage), but the FBI's August 2024 Private Industry Notification on third-party JavaScript supply-chain risk specifically referenced Polyfill as the canonical example.

Five lessons that compound for cybersecurity practitioners:

First, third-party JavaScript loaded directly into a site's primary document is a supply-chain attack surface that traditional vendor-risk programs do not address. Most organizations' vendor-risk-management processes evaluate vendors on their own security posture; few evaluate the structural risk of the vendor's domain ownership or business control changing. The cybersecurity-program lesson is that any third-party script loaded into a website's primary document carries an implicit trust assumption about the script provider's continued ownership and operational integrity.

Second, the Subresource Integrity (SRI) browser feature would have prevented the compromise. SRI requires the embedding HTML to include a cryptographic hash of the expected script content; the browser refuses to execute scripts whose hash does not match. Polyfill.io's design (dynamic browser-detection-based responses) was incompatible with SRI because the script content varied per request. The cybersecurity-program lesson is that any script that cannot be SRI-pinned should be served from infrastructure under the consuming site's control, not from a third-party CDN.

Third, content-script delivery from external CDNs is structurally fragile in a way most organizations underweight. The polyfill.io attack would not have worked if sites had self-hosted the polyfill script. Cloudflare's June 25 announcement of automatic URL rewriting was, in effect, the CDN industry acknowledging that the third-party-script trust model had failed and moving to a self-hosted fallback by default. Cybersecurity-program implications: any external script reference in production websites should be reviewed against a self-hosted alternative.

Fourth, the post-acquisition trust transfer in domain ownership is now a recognized attack pattern. The polyfill.io domain was owned by Andrew Betts (who built and maintained the original library) and was acquired by Funnull (a Chinese-owned entity) in February 2024. The acquisition itself was not malicious; the post-acquisition tradecraft was. The cybersecurity-program lesson is that domain-ownership changes for any third-party asset embedded in a production website are operational events that warrant security review.

Fifth, the rapid commercial response (Cloudflare, Google, Namecheap, Fastly) demonstrated that supply-chain incidents can be addressed at the infrastructure layer faster than at the operator layer. Most affected sites did not need to take action; their CDN provider or DNS provider made the change for them. The cybersecurity-policy implication is that future supply-chain compromises of comparable scope are likely to be addressed via similar CDN-mediated mitigation rather than via per-site response. Cybersecurity programs should pre-establish their relationship with CDN-tier mitigation capabilities.

For careers: application-security engineers, supply-chain-security engineers, web-application security specialists, and cybersecurity consultants advising on third-party-script governance all reference Polyfill as the canonical 2024 worked example. The OWASP Top 10 for JavaScript Supply Chain Security (drafted by the OWASP Foundation in 2024-2025) explicitly cites the Polyfill case in its threat model.