Summary:
Censys reports that over 380,000 internet-exposed hosts still reference JavaScript scripts from the recently suspended polyfill[.]io domain. Originally used to provide modern functionality in older browsers, polyfill[.]io was suspended after redirecting visitors to betting and adult sites. The site's owner, Chinese CDN company Funnull, purchased it in February 2024, triggering widespread impact across over 100,000 websites, including major platforms like Hulu and Mercedes-Benz.

Most affected hosts are in Germany's Hetzner network, but domains tied to entities such as Hulu and Warner Bros also feature prominently. Censys identified 182 affected hosts with .gov domains, highlighting broad usage across sectors including government. Despite efforts to mitigate, Censys warns of broader implications, noting similarities with other suspicious domains like bootcdn[.]net and bootcss[.]com, suggesting a potential ongoing malicious campaign.

Security Officer Comments:
The incident has prompted a shift to secure alternatives like Fastly and Cloudflare for polyfill services, with a notable increase from 80,312 to 216,504 websites using these alternatives by July 2. Censys advises vigilance against further malicious activities from related domains, underscoring ongoing cybersecurity challenges in web infrastructure management.

Link(s):
https://www.securityweek.com/over-380k-hosts-still-referencing-malicious-polyfill-domain-censys/