When the CDN Was Sold
June 2024. The polyfill.io domain quietly changes hands. The same <script> tag on a hundred thousand websites starts serving conditional malware to mobile users. Yours might be one of them.
Briefing
polyfill.io was a long-running open-source CDN that served browser polyfill scripts conditional on the user's User-Agent. In February 2024 the domain was sold to a Chinese company called Funnull. By June, traffic from mobile devices to certain referrer domains was being served scripts that redirected to gambling and adult sites, and in some samples, dropped malware via classic drive-by patterns. Cloudflare and Fastly began intercepting the domain at the edge. Andrew Betts (the original author) and the OWASP team published advisories. The Polyfill.io maintainer pages on GitHub and npm have nothing to do with the new domain owner. Walk your own templates and find anything you're still loading from polyfill.io.
Your role
Solo engineer for a small marketing site. The community advisories about polyfill.io dropped three days ago and you're the only person who can audit your own HTML.
Objective
Find every page on your site that loads a third-party CDN, identify which ones reference polyfill.io, and replace them with a known-good source.
Terminal environment
- user
- responder
- host
- edge-cdn-01
- cwd
- /srv/marketing-site
- steps
- 6
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.