How to ‘Hack’ the Polyfill Exploit

July 25, 2024 •

https://martinbaun.com/blog/posts/how-to-hack-the-polyfill-exploit/polyfill.webp

The Polyfill Exploit didn’t need to happen. 

And you can even increase the speed of your website.

Let's dive into the hows, whys, and most importantly, what you can do about it!

Why did the Polyfill Exploit happen?

To put it plainly, the Polyfill happened because a Chinese company took over a domain. That domain hosted a CDN version of the Polyfill (cdn.polyfill.io), which was later replaced with malware.

That’s it.

For an action so simple, it was devastating and affected millions. 

What can you do about it?

There are two relatively straightforward ways to avoid these exploits in the future.

Read: Securing Your Servers in 2024

Integrity and Anonymous.

While including your scripts, add an anonymous and integrity tag with it. 

To demonstrate:

    <script src="https://google.com/definitely_not_nsa_funded.js"

            integrity="sha384-..."

            crossorigin="anonymous"></script

This will ensure that your browser checks the script's integrity. If your script doesn't fulfill that, it simply stops. 

This is a terrible way, however:

It is actually not that anonymous, and the CDN can still continue to track you. 

If the integrity check fails, it breaks your website.

Read: Make it easy to do the right thing: A Team-Lead Initiative

Copy and Paste

Small trigger warning.

My second solution tends to be a bit of a contested subject, and I'm confident a number of you may disagree… But I believe this to be the correct approach. 

I copy and paste all my CSS/JS into my static folder, and simply host myself!

Why?

  • I gain full control over my assets. That way, nothing gets suddenly altered whether maliciously, or unintentionally. 
  • I avoid fetching resources from many different domains which would mean many round trips on the DNS server. 
  • We can develop offline. This is particularly important for my team as my Ukrainian team members might not have internet because of the bombings.

Some people would argue that this method is slow but in my opinion, it’s the opposite. 

Let me Explain...

Say, you have 10 different assets from 10 different domains. The client would have to fetch those 10 DNS domain requests from 10 different servers. 

That would be 20 different requests, for 10 assets. 

Very, very slow. Sometimes they will be cached, but in most cases, probably not.

To improve performance, I set up my own BunnyCDN which allows me to do one DNS fetch, while at the same time spreading worldwide in a matter of mere milliseconds. 

Take it Up a Notch

If for example, I have two scripts, I would simply merge them saving me even more roundtrips to the CDN. That’s because the usually the slow part nowadays is not the megabytes transferred but the roundtrips to the server.

I understand it may be weird, but it gets the work done incredibly fast, and that’s what I aim for. So should you!

Read: User-friendly locks for Goleko.com| A Technical Article


You can find a video on my YouTube channel that will guide you on how to set up BunnyCDN to serve you just as well as mine has served me. Check it out!