ADVISORY – Malware Found in Threatens Salesforce Security and Endangers 100K+ Websites

Websites using the version library are at risk, as it is reported to be injecting malware that redirects traffic to sports betting and pornographic websites. There is an active advisory from Salesforce and has been detected by numerous sources that the version should not be considered safe. There are some reports of malware being propagated through the library.

How DigitSec Is Protecting Customers Against Malware Supply Chain Attack

DigitSec has proactively taken the following steps to protect customers against the exploit:

  1. Our SCA engine is checking for all libraries which match the polyfill library type and functions, even an altered version of polypill will be flagged if the same function signatures exist.
  2. While scanning Lightning Web Components (LWC) and VisualForce pages, we will identify any remote references to polyfill either directly by referencing or indirectly from a CDN.
  3. When running a scan against a Salesforce environment we are checking Content Security Policies (CSP) to ensure that is not being allowed.
  4. When running a scan against a Salesforce environment we are checking the Cross Origin Request Sharing (CORS) setting to ensure is not enabled in a Salesforce environment.
  5. When checking Remote Sites, we check that Apex connections are not made to 
  6. Any 3rd party packages downloaded from AppExchange or other sources can be checked to see if they reference or use polyfill.

This is the most comprehensive approach to protecting our customer’s Salesforce environment and users against this supply chain malware attack. We will continue to monitor this issue and will share any updates as needed. 

The Polyfill code dynamically generates various malicious activities based on HTTP headers and is now vulnerable to multiple types of attacks. Polyfill is extensively used by Salesforce developers in several industries, including e-commerce, finance, media, healthcare, and entertainment. This makes websites susceptible to exploitation from threat actors, potentially affecting many organizations’ landing pages without their knowledge of the presence of the malware.

Salesforce application developers use Polyfill to enhance browser capabilities. It can be embedded in VisualForce pages or used statically within Static Resources containing the malware.

Update: July 8, 2024 at 12:00 PM Pacific: It has been observed that several other hosts are exhibiting similar malicious activities for hosted polyfills. These additional hosts include:


These hosts have been identified as malicious and are tagged within the DigitSec platform as critical vulnerabilities. Our team is also analyzing the behavior of files in the Salesforce environment during runtime testing.

It is strongly advised that those using Salesforce to remove Please contact us here to schedule a scan of your Salesforce environment for
Feel free to reach out at if you have any additional concerns with securing your Salesforce applications or require additional information about DigitSec.

Scan Your Salesforce for

Request A Scan
This field is for validation purposes and should be left unchanged.

Picture of Vidhumitha Goutham

Vidhumitha Goutham


DigitSec brings four scans to protect Salesforce: Source Code Analysis, Custom Runtime Testing, Software Composition Analysis, & Cloud Security Configuration Review. #DevOps

Recent Posts

Sign up for our Newsletter

Get security tips sent to your inbox.

Sign up to get updates and security insights from DigitSec