Over 110,000 websites are currently affected by a supply chain attack on the polyfill.js library.
Polyfill.js
Polyfill.js is a library that web developers can use to add newer features to old browsers, ensuring their sites don't break.
On Feb 24, 2024 the Chinese company Funnull purchased the website and github repo for polyfill.
The author of the library said after the purchase "if your website uses polyfill remove it IMMEDIATELY."
While he was the author of the service, he did not own the domain or have any influence over the purchase he states.
The company has tried to silence any mention of the purchase.
They inject malicious code into the legitimate polyfill script, but only under specific conditions involving mobile user agents and referrers from reputable sites. This injected code loads additional malicious JavaScript from a deceptive domain (googie-anaiytics.com), which then redirects mobile users to one of many malicious websites. The attack is semi-sophisticated, using various obfuscation techniques and environment checks to evade detection and target specific users. Click here for a more detailed explanation of how the attack works, as explained by Github user alitonium.
This isn't the first time an attack like this has happened, and if you use a public CDN you should be well aware of the risks involved.
If you still need polyfill and haven't started hosting your own, you can use CloudFlare's here.