New options for Polyfill.io users

Polyfill is a popular tool for enhancing browser capabilities. Many users access it by linking to the polyfill.io service, which has recently changed ownership to a new party.

In order to ensure that everyone can maintain reliable and trusted access to Polyfill features, we have identified a few alternatives:

• First, Fastly is offering polyfill-fastly.net and polyfill-fastly.io as a free, drop-in replacement for polyfill.io in your code; this is a Tier 2 open source project available now.

• Second, Fastly’s fork of the open source code can be used to self-host the service to maintain full control over the code delivered to users.

• And finally, there’s a very easy option of removing it entirely, as most modern browsers prioritize cross-compatibility by default and you may well not need a shim to perform these functions.

Moving to one of these new options can help ensure the security, reliability and trustworthiness of your site. Polyfill’s code remains under the same open license as ever, and Fastly customers that need any help with this transition can reach out to our support team for help as always.

When did Fastly become aware of the supply chain attack conducted by Funnull?

@eligrey – We found out when everyone else did with the publishing of the article by Sansec (Polyfill supply chain attack hits 100K+ sites). When we advised people to be aware of the sale, that was out of an abundance of caution just in case something like this did happen.

Can fastly NGWAF prevent this vulnerability ?
If it can but some conditions required, let me know the conditions.

Hi @shinpei3, this isn’t something that our NGWAF product is designed to detect. However, using Fastly Compute, a user could scan their HTML response bodies for references to polyfill.io and rewrite those to polyfill-fastly.io.

Indeed, this vulnerability is in the response, not the request, so it’s not something that a WAF is designed to address.

Understand. Thank you.