The Polyfill[.]io CDN
associated with the open-source Polyfill.js library has been compromised and
the code served by the CDN has been modified to perform malicious
actions. Essent does not use the library or the CDN but your websites may
be compromised if custom functionality referenced the Polyfill[.] io CDN.
The
CDN is identified as Polyfill[.]io (without the square brackets). Note: All
references to the domain of the CDN in this article have been intentionally
broken by wrapping the dot in square brackets [.] to prevent the link from
working.
Actions to Take
Bring
this Support notice to the attention of your Information Technology department
and any third-party vendors of web-based systems.
Issue
The
CDN for the open source browser compatibility library Polyfill located at
Polyfill[.]io has been acquired from its original owner and has been modified
to include unwanted behavior.
Impact
Visitors
to sites that incorporate the library from Polyfill[.]io were being redirected
to third party sites, including sites with gambling and adult content. There
are also reports of the modified library harvesting personally identifiable
information, payment details, and credentials.
Essent Service Impact
Essent
does not use the Polyfill library in any Essent services and products,
including but not limited to Essent.com, EssentOne, and Essent SiteBuilder Pro
Designer.
Corrective Action
Check
all websites, including customized Essent SiteBuilder Pro sites for references
to the Polyfill[.]io CDN that your web administrators may have added, then
remove or replace them with references to a safe mirror of the Polyfill
library.
Cloudflare
has provided a safe mirror of the Polyfill CDN that may be used in place of
Polyfill[.]io if it is still needed. See https://cdnjs.cloudflare.com/polyfill/ for
more information on using the Cloudflare replacement.
If the reference is in your custom code:
For
most sites, the Polyfill library is no longer required and can be removed as
all modern browsers natively provide the interfaces that previously required
Polyfill for cross compatibility between browsers.
If
the site contains functionality that is dependent on the Polyfill library,
replace the reference with one to a safe mirror, such as the Cloudflare one
described above.
If the reference is in code loaded from a third-party vendor:
Notify
the third-party vendor serving the reference to Polyfill[.]io immediately and
remove their functionality from the site until the issue has been resolved by
the vendor.
More Information: