Lädt...


🔧 To Polyfill Or Not To Polyfill.io


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: dev.to

The topic of Polyfill.io and its sale came across my radar about a week ago when Tobie Langel shared a link to LinkedIn on the OpenJS Foundation Slack.

Wesley Hales shared:

I don't do these panicky-type of PSAs unless it's serious, but this is a REALLY REALLY big deal because so many websites use this third party javascript library!

The sale took place on February 24, 2023, so it has been a minute. In the post on LinkedIn, there was a link provided to a GitHub issue, and from there I also found the tweet (X?) from Andrew Betts strongly encouraging folks to stop using the service. At first, it sounded like the main concern here was that a Chinese company was behind the purchase. I understand that in the current world political climate, there is a "trend" to distrust anything Chinese. This however also impacts other communities such as Nigerian communities and others in Africa, India, and many developing countries. Claudio Wunder on the OpenJS Foundation Slack was the first to raise this concern which I then echoed.

As someone from South Africa, I am keenly aware of this and so, I wanted to dig in some more and understand what the larger context was.

After doing some internet sleuthing :) I discovered that the "company" who is likely behind the purchase is called Funnull and when I visited their website, well, let's just say a lot of the concerns became crystal clear. Just looking at their meta description (not translated through a tool), it reads as follows:

【方能CDN】免备案 - 加速 高防 防劫持 IP隐藏。[FUNNULL CDN] The first brand in the industry, with strong technical strength. T-level defense Effective defense against CC attacks Can test multiple sets of pricing plans.

After Tobie had some coffee he shared why he felt this was a valid concern, and what he shared made it crystal clear. Let's start with something seemingly simple, the copyright text right at the bottom of their footer.

@2022 FUNNULL LLC Made in USA

Let's also assume the @ instead of © was a typo, we all make those, but last I checked we are in 2024. Going to their Contact Us page, they seem to have offices at "12H, Stevens Creek Blvd, Cupertino, CA, United States." However, should you enter that into Google Maps, there is no listing for any company by the name Funnull so, "Made in USA"?

One of the other reasons highlighted by Tobie was:

The complete lack of warning and information about the implications of the ownership transfer is very concerning.

I completely agree and this reminds me of the outrage that happened with Audacity [1].

And then this is a big one:

Change in jurisdiction impacts compliance requirements around data processing (e.g. there's no EU-China privacy shield agreement that I'm aware of.)

They do have a General Data Protection Regulation (GDPR) page though, but when you read it you stumble upon this sentence.

funnull.com is fully committed to helping you achieve compliance, so we will launch an anonymous feature before May 25, 2018, and ensure that no user identifiable data is collected or processed as much as possible.

I do not know about you, but that does not instill commitment or a sense of security and respect for user privacy in my mind. If you read a little further you will find this on the same page:

We have thoroughly revised our user privacy and data policy

However, none of us could find a privacy or terms of service page on their website. Even that quoted line does not link to their privacy policy. That is more than enough red flags for me. If I was using the service, I would abandon it for sure.

If you read through the GitHub issue thread this whole situation becomes more and more concerning almost like opening Pandora's Box.

Just the facts

  • Uncertainty about the future of polyfill.io under new ownership, particularly regarding its connection to China.
  • Lack of clear communication and transparency about the ownership transfer and its implications for users.
  • Concerns about potential changes to service terms without notice, affecting user trust and reliability.
  • Technical issues reported by users, such as errors and bad gateway responses, possibly linked to the ownership change.
  • Another shorter GitHub thread.
  • Also see Polykill

What now?

Since the debacle started and exploded in the JavaScript ecosystem Fastly (Fastly's fork of the project) and Cloudflare have stood up alternatives that I would highly recommend. This shows that the open source and web ecosystem "supply chain" still has a lot of problems, edge cases, and gaping holes that need to be addressed.

It also screams that we need to support those who build the projects, libraries, and services we all rely on so we can ensure a secure and sustainable future for open-source and the web.

[1] Do decide for yourself though.

Check out SAML Jackson if you are building a SaaS and need to add support for single sign-on (SSO), SAML, and DirectorySync.

...

🔧 To Polyfill Or Not To Polyfill.io


📈 42.28 Punkte
🔧 Programmierung

📰 "Passwort" Folge 6: Kaspersky, Polyfill und andere News


📈 18.5 Punkte
📰 IT Nachrichten

📰 Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Polyfill: Lieferkettenangriff gefährdet 100.000 Webseiten


📈 18.5 Punkte
📰 IT Nachrichten

📰 "Passwort" Folge 6: Kaspersky, Polyfill und andere News


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Polyfill.io owner punches back at 'malicious defamation' amid domain shutdown


📈 18.5 Punkte
📰 IT Security Nachrichten

🎥 Polyfill Empties Trust, regreSSHion, CocoaPods Vulns & Secure Design, LLM Bughunters - ASW #290


📈 18.5 Punkte
🎥 IT Security Video

📰 Polyfill.io JavaScript supply chain attack impacts over 100K sites


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Polyfill Supply Chain Attack: What It Is and How to Know If You’re Affected


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies


📈 18.5 Punkte
📰 IT Security Nachrichten

🔧 How to write polyfill for map


📈 18.5 Punkte
🔧 Programmierung

📰 Polyfill supply-chain attack: What to do when your CDN goes evil


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Großteil aus Deutschland: Fast 400.000 Webhosts verbreiten Malware via Polyfill.io


📈 18.5 Punkte
📰 IT Nachrichten

🔧 Polyfill in JavaScript


📈 18.5 Punkte
🔧 Programmierung

📰 Polyfill claims it has been 'defamed', returns after domain shut down


📈 18.5 Punkte
📰 IT Security Nachrichten

🕵️ Over 380,000+ Hosts Embedding Polyfill JS script Linking to Malicious Domain


📈 18.5 Punkte
🕵️ Hacking

🔧 Inside the container query polyfill


📈 18.5 Punkte
🔧 Programmierung

📰 WordPress Plugins at Risk From Polyfill Library Compromise


📈 18.5 Punkte
📰 IT Security Nachrichten

🔧 Container queries begin to land in stable browsers while the polyfill gets a big update


📈 18.5 Punkte
🔧 Programmierung

📰 Cloudflare: We never authorized polyfill.io to use our name


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Over 380k Hosts Still Referencing Malicious Polyfill Domain


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Security: Zwei Probleme in php-brumann-polyfill-unserialize (Fedora)


📈 18.5 Punkte
🐧 Unix Server

🔧 Polyfill supply chain attack embeds malware in JavaScript CDN assets


📈 18.5 Punkte
🔧 Programmierung

📰 Over 380k Hosts Still Referencing Malicious Polyfill Domain: Censys


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Zwei Probleme in php-brumann-polyfill-unserialize (Fedora)


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Polyfill Supply Chain Attack Hits Over 100k Websites


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Polyfill Vulnerability Effect on the WordPress Ecosystem


📈 18.5 Punkte
📰 IT Security Nachrichten

🔧 JavaScript-Service Polyfill.io: 100.000 Sites binden Schadcode über CDN ein


📈 18.5 Punkte
🔧 Programmierung

📰 Polyfill.io claims reveal new cracks in supply chain, but how deep do they go?


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Polyfill Supply Chain Attack Hits Over 100k Websites 


📈 18.5 Punkte
📰 IT Security Nachrichten

📰 Polyfill.io claims reveal new cracks in supply chain, but how deep do they go?


📈 18.5 Punkte
📰 IT Security Nachrichten

🔧 Polyfill for Bind()


📈 18.5 Punkte
🔧 Programmierung

matomo