Produits
Voir tout ProduitsPrivacy EdgeConsent ValidatorGuardianLokker Privacy ExtensionPartner APIPrivacy Academy
À qui nous aidons
Voir tout À qui nous aidonsÉquipes vie privéeJuridique & conformitéAssurance & risqueAgencesResponsables IT & sécurité
Solutions
Voir tout SolutionsLitige & découverteDiligence raisonnable M&ARapports conseil & risqueSurveillance portefeuilleSantéAudit consentementGouvernance des scriptsOrchestration CMP & balises
Ressources
Voir tout RessourcesDocumentationLivres blancsQuarterly ReportsBlogTéléchargements & listes de contrôlePresse & actualitésÉvénements sectorielsGlossaire vie privéeComparatifs d'outilsGuide juridique vie privéeGuide politique de confidentialité
Formation
Voir tout FormationAcadémie vie privée
Entreprise
Voir tout EntrepriseÀ proposCarrièresContact
Demander une démo
Blog

If Your Site Still Uses Polyfill.io, It’s Now Phishing Your Customers

Peter JolesPeter Joles · Principle Solutions Architect
If Your Site Still Uses Polyfill.io, It’s Now Phishing Your Customers

Polyfill.io is asking for a username and password on banking and e-commerce sites

That login box is not from the site you are visiting.

For years, polyfill.io was one of the most common third-party scripts on the web. The Financial Times engineering team built it as a CDN for JavaScript polyfills, small shims that let older browsers handle modern features. Millions of sites dropped in a single script tag and forgot about it. Boring infrastructure. The sort of thing nobody audits twice.

We track these at Lokker. We run web privacy scans across large numbers of sites, and hijacked domains are high on our watch list: domains that expire, change hands, and end up with someone who should not have them. polyfill.io has been on that list for a while. The original developer told sites to remove it back in 2024 after the domain was sold and the CDN started serving malicious code. Namecheap eventually pulled the domain. A lot of organizations cleaned it up.

A lot did not.

As of this week, we are seeing something worse. Sites that still load scripts directly from polyfill.io are triggering a browser-level username and password dialog. You are not looking at the bank’s styled login page or the retailer’s checkout flow. You get a plain HTTP Basic Authentication prompt, the same dialog your browser shows when a server returns a 401 and asks for credentials.

Whether you see it depends on your browser and settings. Some users never get the prompt. Others see it mid-session on a financial services site or an e-commerce site they already trust. The dialog looks like it belongs to the page you are on. It does not. Whatever you type goes to whoever controls polyfill.io right now, and the script request can carry a Referer header that tells them exactly which site you came from.

If someone enters credentials there, those are not going to the bank or the store. They go to a third party that already has a history of abusing this domain.

If you see a basic auth popup like this, close it. Do not enter anything.

If you run a website, search your codebase, tag managers, CMS templates, and legacy pages for polyfill.io. Remove every reference. Cloudflare and Fastly both offer safe replacements if you still need polyfills. There is no good reason to keep loading from this domain.

We have been flagging polyfill.io in scans for months. What keeps surprising us is how long it hangs around: major brands, long-tail sites, pages nobody has touched in years. Third-party scripts are easy to add and hard to retire. Hijacked domains live in that gap.

One forgotten script tag, years old, and your visitors get a credential prompt from a domain you do not control. If you are not sure what is still loading on your site, check today.