URLs for a popular polyfill service (polyfill.io) began serving malicious code after years of serving safe polyfill scripts. Web developers use polyfills to add backward compatibility for newer browser APIs. None of HubSpot's default assets use polyfill.io hosted scripts. Developers building themes, templates, and modules on HubSpot can, at their discretion, include scripts from external domains. Developers may have included polyfills from polyfill.io this way. 

We protected all HubSpot hosted sites by rewriting all URLs for polyfill.io to use Cloudflare's safe original version of the polyfills to help all of our customers, developers, and partners, who've used polyfill.io hosted scripts. Along with eliminating the malicious code, this ensures that backward compatibility efforts made by developers are still operational.

There is no action needed from customers, partners, or developers using HubSpot.

When is it happening?

This change went into effect on July 15, 2024.

Questions or comments? Join us in the developer forums.