The cdn.polyfill.io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.
If your website uses polyfill.io, remove it IMMEDIATELY.
I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale.
No website today requires any of the polyfills in the polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.
It's most important that cheatsheets no longer helps users install polyfill.io from a malicious domain.
However, it might be a good idea to notify users that they should no longer use polyfill.io, rather than completely removing the cheatsheet without notice.
Description
The domain now serves a malicious script. Even before this security incident, it has been recommended that devs avoid it already.
Sources
The domain now serves malware: https://cside.dev/blog/more-than-100k-websites-targeted-in-web-supply-chain-attack
Similar GitHub issues discussing its removal:
Polyfill.io creator:
- posted on X/Twitter
Solution
It's most important that cheatsheets no longer helps users install polyfill.io from a malicious domain.
However, it might be a good idea to notify users that they should no longer use polyfill.io, rather than completely removing the cheatsheet without notice.