Loading

Polyfill security vulnerability (CVE-2024-38526) and the B2C Commerce platform

Дата публикации: Aug 26, 2025
Описание

Polyfill.io is a JavaScript library service used by sites across the Internet to support older browsers.  A June 2024 report by eCommerce security vendor Sansec detailed a supply chain attack in which the new owner of polyfil.io allegedly injected malware on mobile devices via any site that embeds cdn.polyfill.io, potentially affecting over 100,000 sites.

Решение

While the B2C Commerce platform is not affected by this issue, websites built using custom implementations may be using affected polyfill libraries. The embedded CDN (eCDN) used for B2C Commerce now provides an alternative service to address the ongoing supply chain attack. To reduce the risk of your storefront loading malicious code, we strongly advise you remove any links to the polyfill{.}io domain by replacing them with an alternative service such as https://cdnjs.cloudflare.com/polyfill/.

 

Please take immediate action to safeguard your users and if you are unable to remove the polyfill.io libraries, please reach out to Commerce Cloud Support as outlined in How to engage Commerce Cloud Support via the Salesforce Help portal for assistance.

 

For reference, examples of URLs which have been serving the malicious code include:

https[:]//polyfill(.)io/v3/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v2/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v3/polyfill.min.js
https[:]//polyfill(.)io/v3/polyfill.js
https[:]//cdn(.)polyfill(.)io/v2/polyfill.js
https[:]//cdn(.)polyfill(.)io/v1/polyfill.min.js
https[:]//polyfill(.)io/v2/polyfill.min.js
https[:]//cdn(.)polyfill(.)io/v3/polyfill.js
https[:]//polyfill(.)io/v2/polyfill.js

Номер статьи базы знаний

002330975

 
Загрузка
Salesforce Help | Article