Cloudflare, a leading provider of content delivery network (CDN) services, cloud security, and DDoS protection, has indicated that the use of its name or logo on the website Polyfill.io is unauthorized. The website was recently caught injecting malware as part of a major supply chain attack on more than 100,000 websites.
To ensure internet security, Cloudflare also automatically replaces polyfill.io links with a secure mirror on websites that use Cloudflare protection (including free plans).
Cloudflare: “Another warning” Polyfill is not trustworthy
Cloudflare has criticized the unauthorized use of Polyfill.io’s name and logo, as it could lead users to believe that the illegal website is endorsed by Cloudflare.
The head of cloud security also warned that this is another reason not to trust Polyfill.io.
“Contrary to what is stated on the polyfill.io website, Cloudflare has never endorsed the polyfill.io service or authorized the use of the Cloudflare name on its website,” the Cloudflare team wrote in a blog post published yesterday.
“We have asked them to remove the false statement and they have so far ignored our requests. This is another warning sign that they cannot be trusted.”
The caution follows the discovery of the Polyfill.io supply chain attack, which affected more than 100,000 websites.
In February, a Chinese company called “Funnull” bought the company polyfill.io. domain and injected malicious code into the scripts served by their CDN.
As Sansec researchers discovered, the domain began injecting malware onto mobile devices that visited a website that embedded cdn.polyfill(.)io code.
Yesterday, BleepingComputer discovered that the DNS records for cdn.polyfill(.)io were mysteriously set to Cloudflare’s servers. However, this is not a clear sign that the attack has been contained, as the (new) domain owners could easily change the DNS records back to malicious servers.
Furthermore, it is quite possible that the owners of Polyfill.io – like any other website – used Cloudflare’s DDoS protection services. However, this does not mean that Cloudflare supports the domain.
BleepingComputer had previously contacted Cloudflare to see if they were involved in changing the DNS records, but received no response. As of today, polyfill.io is no longer online.
Automatic URL replacement available for free
In the last 24 hours, Cloudflare has released an automated URL rewriting service to replace all Polyfill.io links on Cloudflare customers’ websites with a secure mirror CDN set up by Cloudflare.
“We have released an automatic JavaScript URL rewriting service in the last 24 hours that rewrites any link to polyfill.io found on a Cloudflare-proxyed website into a link to our mirror at cdnjs,” the Cloudflare team announced in the same blog post.
“This avoids any disruption to site functionality while reducing the risk of a supply chain attack.”
“Every website on the free plan now has this feature automatically enabled. Websites on any paid plan can enable this feature with a single click.”
Cloudflare users will find this new setting under Security ⇒ Settings in any zone that uses Cloudflare.
For those who do not use Cloudflare, the company still recommends removing any use of polyfill.io and finding an alternative solution.
“Although the automatic replacement feature covers most cases, the best course of action is to remove polyfill.io from your projects and replace it with a secure alternative mirror such as Cloudflare’s, even if you are a customer,” the company explains.
“You can do this by searching your code repositories for instances of polyfill.io and replacing them with cdnjs.cloudflare.com/polyfill/ (Cloudflare’s mirror). This is a non-breaking change as the two URLs serve the same polyfill content. All site owners, regardless of which site uses Cloudflare, should do this now.”
Another cybersecurity company, Leak Signal, has also created a website, Polykill.io, that lets you search for websites that use cdn.polyfill.io and provides information on how to switch to alternatives.
