Back in the day, before modern JavaScript was all grown up, a lot of us resorted to polyfills to make up for browsers not supporting the very latest features. It looks as if that choice is coming to bite us. Is this the problem with open source?

JavaScript is such an adaptable language that it proved possible to extend the original language to include new features that were proposed for new versions of the language. Such extensions are generally called polyfills because they filled the cracks in browser support until the new features were implemented.  As stated in the headline, it is estimated that more than 100,000 websites are still using polyfill.js, despite the fact that most browsers have caught up with most of the recent standards.

The problem that we now have is that this open source project no longer appears to be trustworthy. The original maintainer, Andrew Betts, seems to have nothing much to do with it.

This does raise the question of who did own the domain and how it was managed as part of the project. I can't imagine, well I can but only if I wasn't paying much attention, letting someone else register a domain and serve my open source project. The domain name was used to set up a Content Delivery Network (CDN) that served polyfill to all of the websites not hosting the code locally.

The sale of the domain name would have been enough to compromise the software, but in addition the GitHub repo was sold to the same company. It seems that selling a repo is as easy as changing the owner credentials.

It seems that both Jake Chapman and the original maintainer Andrew Betts both work at Fastly and this is strange given Betts is saying don't use it and Chapman is selling it.

With the domain name and the repo in the possession of a commercial operation, virtually anything is possible baring making the existing code closed source.

Given that the company is based in China, there might well be even more cause for concern. Soon after the takeover, security company, Sansec, reported that the CDN was serving malware that redirected users to other sites, a sports betting site for example. It also reported that the malware is very shy and hides away from web analytics and investigators by not serving its payload everytime.

It is also claimed that the repo is being censored as several posts to issues that outline the malware situation have been deleted, although many recent ones seem to have been left. In addition, Sansec reported a DOS attack soon after its article appeared.

As you can imagine, people have complained to GitHub and even suggested that the repo be deleted, but at the time of writing nothing has happened and I can't say that GitHub's response is impressive. More impressive is that way Fastly and Cloudflare have put up trustworthy alternative CDNs. Google also started blocking ads to sites that use polyfill.io.

The simplest solution to this mess is to switch the URL to the Cloudflare CDN. I chose Cloudflare because it has no association with polyfill.io. This is just a quick fix before removing polyfill altogether as modern browsers don't need it and they are in the majority these days.

This whole incident raises some questions.

There are no rules for selling repos and perhaps there should be. After all, paintings have a  Droit de Suite law which means that the original artist gets a share in any large future sales profits. Perhaps we need the same, but with an element of being able to stop a sale to a less than trustworthy company.

It also raises issues of using a CDN. It is tempting to conclude that local hosting is the best and safest option. but this doesn't take into account the "set up and forget" mentality. A good CDN will serve the latest, if that's what you want, and will make sure that the copy is malware free. I think the rule is to use a CDN which is too big to need to serve malware, and I guess that means the likes of Google and Cloudflare.

Is this a specifically open source problem?

You could think so. It is a consequence of unpaid mantainers getting tired of their role as a punchbag for users and eventually giving up and perhaps even selling to the highest bidder. However, commercial software is just as likely to be sold to the highest bidder and smaller, less valuable, products could easily be bought by a bad actor. So, this is not specifically an open source problem.

More Information

Polyfill supply chain attack hits 100K+ sites

Is it true that polyfill.io hosting is going to be owned by a Chinese company?

Polyfill.io JavaScript supply chain attack impacts over 100K sites

Related Articles

GitHub and Gradle Partner To Strengthen Supply Chain Security

Surveying Software Supply Chain Security

Insights Into Software Supply Chain Security

Protect The Software Supply Chain With Gitsign

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info