Those Scary Stories About Polyfill.io? They’re Just the Beginning
The Internet exploded this week about how polyfill.io was injecting malicious code into websites that were linking to it from the CDN at the URL where it has been served for years.
The thing is, ownership of the Github repo and the download domain were transferred in February. They didn’t wait until this week to start making changes. Here’s how I know.
In February, we started to get mysterious errors when some of our users tried to log in. The stack trace the Sentry error boundary was giving us didn’t make any sense. It was deep within the okta-react library code we were using. We hadn’t recently upgraded our okta-react, okta-js, or sentry code — or the code that called it.
Long story short, in the course of stepping through the code in the debugger, I found that some code in Okta was expecting to receive an object that had iterable properties. Sometimes when it received the object, those properties could not be iterated. Digging further, I found that the object was returned from code deep within the polyfill library.