Hulu, 100K+ Other Websites May Be Exposed to Polyfill Malware

Security experts warn that a Javascript library known as Polyfill.io has been compromised. This domain is reportedly used by over 100,000 sites, including Disney-owned streaming service Hulu.

Cybersecurity firms Semgrep, C/Side, and Sansec have documented the risk Polyfill poses to sites and unsuspecting web visitors in separate posts this week. If a website uses Polyfill’s domain, attackers could inject any Javascript code onto the site.

So far, the compromised domain has been used to redirect visitors to other, undesired sites. These redirects only occur at certain times and on devices that meet certain conditions, Semgrep explains. Software engineer Chris Hayes also reports that the Polyfill domain is now serving malware.

Google sent out a notification to affected site owners summarizing the security issue and noting that specific third-party libraries like Polyfill.io can “sometimes redirect visitors away from the intended website without the website owner’s knowledge or permission,” according to a screenshot viewed by PCMag.

“To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue,” Google said in a statement.

Cloudflare similarly states that Polyfill’s .io domain cannot be trusted, and has shared a solution for any domain Cloudflare proxies. The Polyfill domain in question is falsely stating that Cloudflare recommends them, when it never has. “We have asked them to remove the false statement, and they have, so far, ignored our requests. This is yet another warning sign that they cannot be trusted,” Cloudflare said in a post Wednesday.

The Polyfill domain was reportedly sold to a Chinese company, dubbed Funnull, back in February. A site linked to data protection firm Leak Signal notes: “There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords, and credit card information directly as users enter the information in the web browser.”

This Tweet is currently unavailable. It might be loading or has been removed.

A software engineer known as “Sukka” claimed in a GitHub post that Funnull is “notorious for providing service for the betting and pornography industries.” PCMag has attempted to contact Funnull for comment.

Even Polyfill’s original creator Andrew Betts—who says he is no longer working on Polyfill and was not responsible for its Funnull sale—is telling sites to drop Polyfill.io. “Remove it IMMEDIATELY,” Betts writes in a post. PCMag has reached out to Betts for comment.

Ping Labs CEO Theo Browne shared a post Wednesday night showing that Hulu is among the thousands of websites using Polyfill’s domain.

“Hulu, just so you know, you are currently compromised,” Browne said.

Ahmad Sandid, a software engineer who previously worked at Disney, responded to the post, asking Browne why he chose to post about the issue publicly.

“When your previous job is suffering from a vulnerability and you know how to fix it but you just have to sit and watch,” Sandid added in a separate post about the issue.

Reached for comment, Browne tells PCMag that current Hulu employees have since been notified about the issue. Hulu has not yet responded to PCMag’s request for comment.