Resolved: Protecting our clients from the Polyfill.io supply chain attack

Recently, a popular domain used to serve a JavaScript library, polyfill [.] io, was purchased by a Chinese company and used to redirect affected websites to malicious third-party domains. This library was used by thousands of websites to provide modern functionality to older browsers.

The creator of Polyfill urged users to remove the library immediately:

If your website uses https://t.co/3xHecLPXkB, remove it IMMEDIATELY.

I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI
— Andrew Betts (@triblondon) February 25, 2024

For more information, a great overview and timeline can be found on the Qualsys blog.

What did Workhorse do in response to the polyfill.io vulnerability?

Workhorse scanned all websites that we host or monitor for the affected polyfill.io domain and subdomains. Thankfully, only a single client was affected and their website was remediated quickly.

What do I need to in response to the polyfill.io supply chain attack?

If you are Workhorse client who we host or provide proactive support for, you do not have to do anything. The only affected client was notified when their website was fixed. If you are not a Workhorse client and are unsure, feel free to contact us with additional questions.