ADVISORY – Malware Found in Polyfill.io Threatens Salesforce Security and Endangers 100K+ Websites

Websites using the Polyfill.io version library are at risk, as it is reported to be injecting malware that redirects traffic to sports betting and pornographic websites. There is an active advisory from Salesforce and has been detected by numerous sources that the polyfill.io version should not be considered safe. There are some reports of malware being propagated through the library.

How DigitSec Is Protecting Customers Against Polyfill.io Malware Supply Chain Attack

DigitSec has proactively taken the following steps to protect customers against the polyfill.io exploit:

  1. Our SCA engine is checking for all libraries which match the polyfill library type and functions, even an altered version of polypill will be flagged if the same function signatures exist.
  2. While scanning Lightning Web Components (LWC) and VisualForce pages, we will identify any remote references to polyfill either directly by referencing polyfill.io or indirectly from a CDN.
  3. When running a scan against a Salesforce environment we are checking Content Security Policies (CSP) to ensure that polyfill.io is not being allowed.
  4. When running a scan against a Salesforce environment we are checking the Cross Origin Request Sharing (CORS) setting to ensure polyfill.io is not enabled in a Salesforce environment.
  5. When checking Remote Sites, we check that Apex connections are not made to polyfill.io. 
  6. Any 3rd party packages downloaded from AppExchange or other sources can be checked to see if they reference or use polyfill.


This is the most comprehensive approach to protecting our customer’s Salesforce environment and users against this supply chain malware attack. We will continue to monitor this issue and will share any updates as needed. 

The Polyfill code dynamically generates various malicious activities based on HTTP headers and is now vulnerable to multiple types of attacks. Polyfill is extensively used by Salesforce developers in several industries, including e-commerce, finance, media, healthcare, and entertainment. This makes websites susceptible to exploitation from threat actors, potentially affecting many organizations’ landing pages without their knowledge of the presence of the malware.

Salesforce application developers use Polyfill to enhance browser capabilities. It can be embedded in VisualForce pages or used statically within Static Resources containing the malware.

Update: July 8, 2024 at 12:00 PM Pacific: It has been observed that several other hosts are exhibiting similar malicious activities for hosted polyfills. These additional hosts include:

  1. googie-anaiytics.com
  2. polyfill.com
  3. polyfill.site
  4. polyfillcache.com
  5. bootcdn.net
  6. bootcss.com
  7. staticfile.net
  8. staticfile.org
  9. unionadjs.com
  10. xhsbpza.com
  11. union.macoms.la
  12. newcrbpc.com


These hosts have been identified as malicious and are tagged within the DigitSec platform as critical vulnerabilities. Our team is also analyzing the behavior of files in the Salesforce environment during runtime testing.

It is strongly advised that those using Salesforce to remove polyfill.io. Please contact us here to schedule a scan of your Salesforce environment for polyfill.io.
 
Feel free to reach out at sales@digitsec.com if you have any additional concerns with securing your Salesforce applications or require additional information about DigitSec.

Scan Your Salesforce for Polyfill.io

Request A Scan
Name(Required)
This field is for validation purposes and should be left unchanged.

Picture of Vidhumitha Goutham

Vidhumitha Goutham

Sign up for our Newsletter

Get security tips sent to your inbox.

Sign up to get updates and security insights from DigitSec