Loading

Polyfill security vulnerability (CVE-2024-38526) and the B2C Commerce platform

Udgivelsesdato: Aug 26, 2025
Beskrivelse

Polyfill.io is a JavaScript library service used by sites across the Internet to support older browsers.  A June 2024 report by eCommerce security vendor Sansec detailed a supply chain attack in which the new owner of polyfil.io allegedly injected malware on mobile devices via any site that embeds cdn.polyfill.io, potentially affecting over 100,000 sites.

Løsning

While the B2C Commerce platform is not affected by this issue, websites built using custom implementations may be using affected polyfill libraries. The embedded CDN (eCDN) used for B2C Commerce now provides an alternative service to address the ongoing supply chain attack. To reduce the risk of your storefront loading malicious code, we strongly advise you remove any links to the polyfill{.}io domain by replacing them with an alternative service such as https://cdnjs.cloudflare.com/polyfill/.

 

Please take immediate action to safeguard your users and if you are unable to remove the polyfill.io libraries, please reach out to Commerce Cloud Support as outlined in How to engage Commerce Cloud Support via the Salesforce Help portal for assistance.

 

For reference, examples of URLs which have been serving the malicious code include:

https[:]//polyfill(.)io/v3/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v2/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v3/polyfill.min.js
https[:]//polyfill(.)io/v3/polyfill.js
https[:]//cdn(.)polyfill(.)io/v2/polyfill.js
https[:]//cdn(.)polyfill(.)io/v1/polyfill.min.js
https[:]//polyfill(.)io/v2/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v3/polyfill.js
https[:]//polyfill(.)io/v2/polyfill.js

Vidensartikelnummer

002330975

 
Indlæser
Salesforce Help | Article