bluedoor data·Trust Centers API·bluedoor.sh

Home / Security updates / Polyfill vulnerability

Polyfill vulnerability

Security updates detail rendered from /security-updates/upd_287e36d04d84c4e6.

Overview

IDupd_287e36d04d84c4e6
CollectionSecurity Updates
ProviderSafeBase
CompanyBold Commerce
URL-
Counts-
Updated-

Raw record

FieldValue
idupd_287e36d04d84c4e6
providerIdsafebase
organizationIdorg_cd8cc3da48919d07
trustCenterIdtc_0af19b729e317e0d
titlePolyfill vulnerability
messageHey there! On June 25th, 2024 security researchers at Sansec discovered that malicious code had been added into the popular polyfill package hosted at cdn.polyfill.io after it was acquired by a Chinese company earlier this year. Bold Commerce was alerted by Cloud Flare to the fact that some of our domains were using the affected package on Jun 26, 2024. Upon receiving the alert, we swiftly moved to remove all references to the affected CDN from our codebases the same day. We confirmed via Cloudflare's Page Shield application that all affected references had been updated to safe sources for Polyfill code. The malicious code was intended to redirect certain users to a website specified by the Chinese company. Although we confirmed that the affected polyfill package was loaded onto some sites using Bold Commerce apps (Checkout on Shopify and Subscriptions 1), malicious code targeted only mobile devices with specific conditions. For other devices, the polyfill server served the original
url-
publishedAt2024-07-18
source
{
  "field": "statuspage/public/compliance-update",
  "category": "vulnerabilities"
}
company
{
  "id": "org_cd8cc3da48919d07",
  "name": "Bold Commerce",
  "domains": [
    "trust.boldcommerce.com",
    "boldcommerce.com"
  ]
}
trust_center
{
  "id": "tc_0af19b729e317e0d",
  "name": "Bold Commerce",
  "url": "https://trust.boldcommerce.com",
  "host": "trust.boldcommerce.com"
}
provider
{
  "id": "safebase",
  "name": "SafeBase"
}
links
{
  "self": "/v1/security-updates/upd_287e36d04d84c4e6",
  "company": "/v1/companies/org_cd8cc3da48919d07",
  "trust_center": "/v1/trust-centers/tc_0af19b729e317e0d",
  "provider": "/v1/providers/safebase"
}
Get this page with API

Rendered from the bluedoor Trust Centers API. Reproduce it:

GET https://api.bluedoor.sh/trust-centers/v1/security-updates/upd_287e36d04d84c4e6JSON