Polyfill supply chain attack hits 100K+ sites:
The
polyfill.js
is a popular open source library to support older browsers. 100K+ sites embed it using thecdn.polyfill.io
domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embedscdn.polyfill.io
.
This is fine.