Cloudflare automatically fixes Polyfill.io for free sites
Cloudflare replaces polyfill.io links with their mirror under cdnjs to enhance Internet safety, addressing concerns of malicious code injection. Users urged to switch to Cloudflare's mirror for improved security.
Read original article
Cloudflare has taken steps to automatically replace polyfill.io links with their own mirror under cdnjs to enhance Internet safety. This decision was made due to concerns about the polyfill service being used to inject malicious JavaScript code into users' browsers. Cloudflare's new feature rewrites any polyfill.io links found on websites proxied by Cloudflare to their mirror, reducing the risk of supply chain attacks. While the feature is automatically activated for free plan websites, paid plan users can enable it with a single click. Cloudflare advises all website owners, regardless of Cloudflare usage, to remove polyfill.io from their projects and replace it with Cloudflare's mirror for security. The company also highlights the importance of proactive measures to ensure website security, such as searching for instances of polyfill.io in code repositories and replacing them with secure alternatives. Cloudflare's decision to replace polyfill.io links aims to protect a wide range of websites from potential security threats associated with the service.
Related
More Memory Safety for Let's Encrypt: Deploying ntpd-rs
Let's Encrypt enhances memory safety with ntpd-rs, a secure NTP implementation, part of the Prossimo project. Transitioning to memory-safe alternatives aligns with broader security goals, supported by community and sponsorships.
Cloudflare blocking my IP (2023)
The Cloudflare Community discusses a user facing "verify you are human" prompts on Cloudflare-protected sites. Cloudflare advises contacting site owners for resolution, clarifying they don't block IPs. User frustration ensues.
Malicious Code Injection Found in CDN Polyfill Link Targeting Mobile Users
Polyfill.io selectively polyfills browser features based on User-Agent headers. Tailored polyfills are provided, with official documentation on their website. Contribution guide on GitHub, self-hosting info, and MIT license available.
Polyfill supply chain attack hits 100K+ sites
A supply chain attack on Polyfill JS affects 100,000+ websites, including JSTOR and Intuit. Malware redirects mobile users to a betting site. Users advised to switch to trusted alternatives like Fastly and Cloudflare.
If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.
19 commentsAt the same time, there is a wrongness in Cloudflare being able to overwrite content and changing the 'truth'. I'm like that larry david gif, I just don't know how to process this.
One more thing to note, if you go to the polyfill repo, they've also mentioned they're using Cloudflare to distribute the library.
https://github.com/polyfillpolyfill/polyfill-service/commit/...
I get that they want to do a good thing, but is this something you agree to when you sign up as a Cloudflare customer? If so, that’s kind of crazy.
edit: I am talking about both free and paid users. A toggle does not discount my question whatsoever, especially if this is on by default for free users. I am asking specifically about terms of service.
https://blog.cloudflare.com/polyfill-io-now-available-on-cdn...
In the earlier thread, there was a link to triblondon's post on 2024-02-25 where he urges users to remove that dependency:
https://x.com/triblondon/status/1761852117579427975
Unfortunately, neither of these early warnings seem to have gotten much attention. I wonder if there is some news site or service that would make suspicious ownership transfers of this sort more noticeable? Or maybe this type of supply chain changes actually happen all the time and we just got used to them?
But then again, if the people who carelessly include 3rd party dependencies (i.e. playing with fire) are those who use CF... they probably won't object to it :-)
Some grim future who knows if cloudflare will be the ones under new owners re-writing payloads to serve adverts (or worse).
edit: I think my comment is being misunderstood, I'm not saying this will happen, there's just a neat symmetry between exploit and mitigation.
uBlock origin blocks Polyfill.io https://news.ycombinator.com/item?id=40802393
Polyfill supply chain attack: https://news.ycombinator.com/item?id=40791829
The good news is that a (strict) CSP can help with that - and they do mention it in their blog post that they don't rewrite anything if there's a CSP header.
It's also worth noting that a (strict) CSP also prevents them from injecting their analytics JS from being injected to your site.
The warning signs should have been obvious. There's no profit to be had in this kind of free CDN.
That's great they are fixing it on free sites though.
Frankly I find this to be a weak argument. "We'll continue serving malware because broken websites are worse than infected ones" is not a good argument. I'm a cloudflare customer and I think this is a very bad look, even if it does mean websites keep "working."
Related
More Memory Safety for Let's Encrypt: Deploying ntpd-rs
Let's Encrypt enhances memory safety with ntpd-rs, a secure NTP implementation, part of the Prossimo project. Transitioning to memory-safe alternatives aligns with broader security goals, supported by community and sponsorships.
Cloudflare blocking my IP (2023)
The Cloudflare Community discusses a user facing "verify you are human" prompts on Cloudflare-protected sites. Cloudflare advises contacting site owners for resolution, clarifying they don't block IPs. User frustration ensues.
Malicious Code Injection Found in CDN Polyfill Link Targeting Mobile Users
Polyfill.io selectively polyfills browser features based on User-Agent headers. Tailored polyfills are provided, with official documentation on their website. Contribution guide on GitHub, self-hosting info, and MIT license available.
Polyfill supply chain attack hits 100K+ sites
A supply chain attack on Polyfill JS affects 100,000+ websites, including JSTOR and Intuit. Malware redirects mobile users to a betting site. Users advised to switch to trusted alternatives like Fastly and Cloudflare.
If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.