Sites using polyfill.io on HubSpot were rewritten to use Cloudflare's version
This is a reposting from the developer changelog. If there are any text differences between this copy and the original on the changelog the changelog is the source of truth. --
URLs for a popular polyfill service (polyfill.io) began serving malicious code after years of serving safe polyfill scripts. Web developers use polyfills to add backward compatibility for newer browser APIs. None of HubSpot's default assets use polyfill.io hosted scripts. Developers building themes, templates, and modules on HubSpot can, at their discretion, include scripts from external domains. Developers may have included polyfills from polyfill.io this way.
We protected all HubSpot hosted sites by rewriting all URLs for polyfill.io to use Cloudflare's safe original version of the polyfills to help all of our customers, developers, and partners, who've used polyfill.io hosted scripts. Along with eliminating the malicious code, this ensures that backward compatibility efforts made by developers are still operational.
There is no action needed from customers, partners, or developers using HubSpot.
No one has replied to this post quite yet. Check back soon to see if someone has a solution, or submit your own reply if you know how to help! Karma is real.