In June last year, the Polyfill.io domain was hijacked in a supply chain attack, putting hundreds of thousands of websites at risk. As users of the Polyfill.io service, we issued a client advisory via Slack on June 26, 2024, urging immediate removal or migration.
This statement is available here for historial purposes as the advice remains relevant today:
Security Alert: Polyfill.io
Due to recent security concerns identified with Polyfill.io, we have decided that all Polyfill.io scripts should be removed from React projects going forward.
What is Polyfill.io?
Polyfill.io is a service that provides a way to include polyfills in web projects. Polyfills are pieces of code (usually JavaScript) that provide modern functionality on older browsers that do not natively support certain features. This allows developers to use newer web technologies without worrying about compatibility issues across different browsers.
What is the security concern?
Recently, the domain for Polyfill.io was acquired by a Chinese organization. This domain is now being used to distribute malware, affecting over 100,000 websites. Multiple security firms have issued urgent warnings for organizations to immediately remove any JavaScript code from the Polyfill.io domain.
What is the risk?
After a thorough assessment, we have determined that the risk to our projects is very low. This conclusion is based on the default behaviour of Polyfill.io scripts in our React applications, which only impacts users with legacy browsers that do not support
Object.entries(https://caniuse.com/object-entries).What this means
Despite the very low risk we are recommending the following:
- Effective immediately, Polyfill.io scripts should not be included in any new projects.
- Existing projects that do not support legacy browsers (eg. IE11) should be updated to remove Polyfill.io scripts.
- Existing projects that do support legacy browsers should be updated to utilise the CloudFlare alternative to Polyfill.io.
Next Steps
We recommend that all developers working on React projects take immediate action to remove or update any Polyfill.io scripts following the criteria outlined above.
Most React projects are likely to include at least two Polyfill.io scripts. These can typically be found in
public/index.ejsandpublic/index_fragment.ejs. However, we advise performing a comprehensive search of your project for "polyfill.io" to ensure all instances are identified and addressed.If you have any questions or need further assistance, please do not hesitate to reach out.