Security alert: polyfill.io domain purchased by Chinese bad actors.

[agtiger2]

The Register: If you're using Polyfill.io code on your site - like 100,000+ are - remove it immediately
The Hacker News: Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack
Bleeping Computer: Polyfill.io JavaScript supply chain attack impacts over 100K sites

Okay, you get the idea. Now this looks like a server-side attack, so if they're utilizing code that comes from polyfill, then there's not much you can do. If they're simply linking to the polyfill.io or cdn.polyfill.io domains, then there are a few things you can do:

1. Blackhole the site at your firewall or hosts file. On linux, you can find it in your /etc/ folder. sudo up to root, and edit the hosts file. Put these entries in:
   127.0.0.1 polyfill.io
   127.0.0.1 cdn.polyfill.io
   127.0.0.1 bootcss.com
   127.0.0.1 bootcdn.net
   127.0.0.1 staticfile.org
   
   In windows, you can find the hosts file in:
   C:\Windows\System32\drivers\etc\
   
   
2. If you run NoScript in Firefox, go to Tools > Add-ons and Themes.
   Click the "..." button next to NoScript
   Select preferences.
   Go to the "per-site permissions" tab.
   In the "Search or add a web site:" box, type polyfill.io. If it doesn't find it, add it with the "+" button to the right of the search bar.
   Set it to UNTRUSTED.
   Do the same for cdn.polyfill.io

Edited to add bootcss.com, bootcdn.net, and staticfile.org to that list of sites to blackhole, per bleepingcomputer's article.