What is polyfill and what is the problem?
You might have heard about (or been asked about) a security vulnerability affecting websites that use Polyfill.io. Read on if you want to understand what it is, why it's happened, and what you can do about it.
polyfill.io provides libraries that allow modern web features to work in older browsers such as Internet Explorer 10 and 11.
In Feb 2024, the polyfill.io domain was sold to a Chinese company, and recently appears to be modifying the content of the polyfill libraries, potentially to serve up malware to unsuspecting users.
Because many open source projects use polyfill.io libraries as a building block for compatibility, thousands of sites are potentially at risk.
What is the impact?
If your website or web application uses polyfill.io, you are potentially affected, and your website/application might be issuing malicious software to your end users. This is obviously bad for your users, but also bad for your reputation.
What should you do about it?
As older browsers have declined in use (IE11 stopped being supported by Microsoft in June 2022), the polyfill.io libraries are far less frequently needed nowadays, and so often the simplest fix is to remove any code that uses the library. But this isn't always straightforward, and may require complex changes to your website or application. If you're not sure whether you are affected, or you're not sure how to fix, you should ask your technical team to check. They should be able to identify any vulnerable code and help you plan a fix.
How does this happen, and how can you avoid it in future?
Websites and software created today is built on hundreds or thousands of 3rd-party components (libraries, plugins, modules) that have been developed over many years and that are battle-tested. This means you benefit from thousands of hours of previous development, and is a “Good Thing”.
But occasionally, "standing on the shoulders of giants" can make you vulnerable. If the 3rd-party component is afflicted with a bug or, as in this case, is maliciously attacked, you can be vulnerable too.
Removing all 3rd-party code from your website is not a realistic proposition - it's the equivalent of creating your own water company and distribution network to avoid an annual hosepipe ban. What you can do is ensure you have processes and tools to regularly monitor for issues and threats, and respond quickly if they arise.
Keep your eyes open
If you use a modern web platform such as Drupal, there are dedicated teams monitoring for vulnerabilities, and you can subscribe to mailing lists to alert you as they are found. You should also undertake your own active security monitoring, with regular code updates and external penetration testing to verify the security of your site. If you don't have the in-house skills to manage this, a trusted partner like Versantus can monitor your site's security and performance and keep it running smoothly. Give us a call if you think we can help.
Stay safe out there people.