Skip to main content
Blog
Blog Attacks

More than 490k websites targeted in web supply chain attack

The cdn.polyfill[.]io domain is being used in a web supply chain attack. We were first to report the real scale: more than 490,000 affected websites.

Jun 25, 2024 6 min read
more-than-490k-websites-image-cover

NOTE: we now have a more complete article on the Polyfill attack, plus a full Polyfill.io timeline and analysis (2024–2026).

The cdn.polyfill[.]io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.

Among the +490k websites targeted, it was confirmed the domain was still active on Disney-owned streaming service Hulu, The Guardian, Intuit and many more.

Immediate Action: Check your code for any use of the polyfill.io domain and remove it from your applications. Below, we explain how cside can detect and block such threats. Get started using cside for free today and secure yourself. Use our script scanner to check what vulnerabilities your site has.

An open-source project called Polyfill allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user's browser. In February 2024, the domain polyfill.io was bought by Funnull, a Chinese company. Following the sale, the developer, Andrew Betts, urged users on Twitter to remove references to this CDN:

If your website uses

https://t.co/3xHecLPXkB

, remove it IMMEDIATELY.

I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale.

https://t.co/GYt3dhr5fI

— Andrew Betts (@triblondon)

February 25, 2024

The most popular CDN providers have since created their own forks, giving users a safer choice. Most browsers have evolved to make this no longer necessary anyway. A website called Polykill was created to report this and the possible fixes. You can use it to research if a site runs the compromised domain. At the point of writing this article, it has not been updated with reference to this issue.

The domain was found injecting malicious code into devices via websites using cdn.polyfill[.]io. The malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users and delaying execution. The code is also obfuscated. Security vendor Sansec documented the payload in its forensic report. (The related CVE-2024-38526 was assigned to pdoc, the Python documentation tool that loaded polyfill.io, not to the incident as a whole.)

In some instances, users receive tampered JavaScript files, which include a fake Google Analytics link googie-anaiytics[.]com/gtags.js. This fake link redirects users to various sports betting and pornographic websites, seemingly based on their region. But this being JavaScript, could at any moment introduce new attacks like formjacking, clickjacking, and broader data theft.

A site that we were redirected to in testing this vulnerability:

Sports betting site that the polyfill.io payload redirected our test browser to

Between March 7th and 8th 2024, the domain maintainers added a Cloudflare Security Protection header to their site, as can be seen on the Internet Archive. Its purpose was not explained and is not clear.

Cloudflare has since confirmed they didn’t authorize its use.

Internet Archive snapshot of the polyfill.io homepage during the attack

This attack places hundreds of thousands of websites at immediate risk. Early reports said 100,000, but that was simply the default result cap of the PublicWWW search tool. The real count was more than 490,000. (Censys independently counted 384,773 hosts still referencing the domain on 2024-07-02.) When a once safe domain is embedded in this many websites and concealed the way JavaScript threats are, it becomes a tempting path for malicious actors.

Presumably, Funnull, the current owner of Polyfill’s domains, created a social account with the same name around the reported time they bought the domains (February 2024). In posts on X (previously Twitter), they accuse Cloudflare, the media, and others of malicious defamation:

Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website,

but no one would do this as it would be jeopardize our own reputation.

We have already…— Polyfill (@Polyfill_Global)

June 26, 2024

Take action now

The Polyfill service itself is still solid. You can host your own version in a safe and controlled environment without issue. The issue lies within the domain cdn.polyfill[.]io which should immediately be removed from your sites.

Third-party resources are in a very powerful position and thus a high value target for bad actors. CDNs hosting third-party scripts are subject to attack. In 2021 cdnjs itself had certain vulnerabilities exposed.

Editor's note (2026): The section below describes cside's original 2024 architecture. cside now performs full client-side script monitoring — a single first-party JavaScript snippet that observes what third-party scripts actually do in real visitors' browsers, including the conditional, geo- and time-gated payloads (like this one) that show clean code to scanners and crawlers. The script-delivery proxy described below was retired in early 2026.

With cside, browser-fetched third-party dependencies are no longer made directly to the third party. Instead, they travel through the cside detection and optimization engine. Making it able to detect highly targeted attacks against a small percentage of users. If anything malicious is detected, we block it before it gets served to the end-user.

Our detection engine is able to spot this change in the actual code and block it from happening. If a site running cside would also have had the cdn.polyfill[.]io try to load a tampered script, it would not have been served to the user.

You would have been alerted right away and would’ve known the second this was going on. We also save the script’s code and deobfuscate it so you can check what it does for yourself.

At the time of writing this article, threat feeds do not flag this domain. This underlines the fact that relying solely on those is risky business, as we mentioned here.

A redirect was only what was caught. We later explained why the Polyfill attack was more than just a redirect attack, and in 2025 OFAC sanctioned Funnull, the company behind the domain.

Get started using cside for free and protect yourself today.

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

The cdn.polyfill[.]io domain was sold to Funnull in early 2024 and started injecting malicious JavaScript into the hundreds of thousands of sites that still referenced it. Hulu, The Guardian, and Intuit were among the high-profile sites affected.

Remove the script immediately and audit the rest of your third-party scripts for similar abandoned or sold domains. Hosting your own polyfill build or switching to a vetted CDN mirror is the safest path.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo