3 min Security

Cloudflare redirects all Pollyfill.io links on its customers’ sites to secure mirror

Cloudflare redirects all Pollyfill.io links on its customers’ sites to secure mirror

Cloudflare is replacing all references to the Polyfill.io domain in a highly unusual move. The open-source JavaScript application library reportedly spread malicious code after a Chinese takeover, putting website visitors at risk of being redirected to rogue sites via their browsers. Links to Polyfill code on Cloudflare customers’ sites now point to a secure mirror.

Since June 8, Polyfill.io has been spreading malicious JavaScript code. This code redirects website visitors to sites other than the ones they intended to visit. This situation follows after the takeover of Polyfill’s domain name and GitHub account by Funnull, a relatively unknown Chinese CDN operator, earlier this year.

Polyfill.io is an open-source code library that website developers use to add functionality for older browsers. The Polyfill.js file allows end users of older browsers to still visit and use websites they wouldn’t be able to use otherwise. About 100,000 websites use this functionality.

Cloudflare’s exceptional measure

CDN provider Cloudflare is decidedly unamused by the spread of malicious code and has taken the exceptional measure of intervening directly in its customers’ sites. Cloudflare now automatically redirects referrals from their customers to the Polyfill.io domain to their own secure mirror.

In addition, Polyfill.io allegedly falsely listed an ‘endorsement’ from Cloudflare on its website. The CDN giant states that permission for this was never granted and that a removal request was ignored. According to Cloudflare, the latter is further evidence that the service can (no longer) be trusted.

Automatic redirection

The referral is completely automatic for customers who use Cloudflare’s free proxy service for these specific referrals. Paying customers must manually enable the redirection to the secure mirror with one click. All customers can also disable the option again.

Furthermore, Cloudflare calls website admins to remove all existing Polyfill code as it potentially spreads malicious code to visitors’ browsers.

Google Ads blocks affected websites

It’s not just Cloudflare that warns about shady practices surrounding the open-source JavaScript library. Google has also taken steps to bar websites that use malicious code from Google Ads, The Register reports. According to a post on X following the tech giant’s warning, this should curb traffic to these websites and further reduce the number of potential victims.

Incidentally, the owners of Polyfill.io got the service back on the air after registrar Namecheap shut it down, BleepingComputer reports. Polyfill claims it has been defamed and denies allegations that it was distributing malicious code.

Also read: Cloudflare tries to reduce attacks on LLMs with new firewall