Home / Security updates / Polyfill vulnerability
Polyfill vulnerability
Security updates detail rendered from /security-updates/upd_287e36d04d84c4e6.
Overview
| ID | upd_287e36d04d84c4e6 |
| Collection | Security Updates |
| Provider | SafeBase |
| Company | Bold Commerce |
| URL | - |
| Counts | - |
| Updated | - |
Raw record
| Field | Value |
|---|---|
| id | upd_287e36d04d84c4e6 |
| providerId | safebase |
| organizationId | org_cd8cc3da48919d07 |
| trustCenterId | tc_0af19b729e317e0d |
| title | Polyfill vulnerability |
| message | Hey there! On June 25th, 2024 security researchers at Sansec discovered that malicious code had been added into the popular polyfill package hosted at cdn.polyfill.io after it was acquired by a Chinese company earlier this year. Bold Commerce was alerted by Cloud Flare to the fact that some of our domains were using the affected package on Jun 26, 2024. Upon receiving the alert, we swiftly moved to remove all references to the affected CDN from our codebases the same day. We confirmed via Cloudflare's Page Shield application that all affected references had been updated to safe sources for Polyfill code. The malicious code was intended to redirect certain users to a website specified by the Chinese company. Although we confirmed that the affected polyfill package was loaded onto some sites using Bold Commerce apps (Checkout on Shopify and Subscriptions 1), malicious code targeted only mobile devices with specific conditions. For other devices, the polyfill server served the original |
| url | - |
| publishedAt | 2024-07-18 |
| source | {
"field": "statuspage/public/compliance-update",
"category": "vulnerabilities"
} |
| company | {
"id": "org_cd8cc3da48919d07",
"name": "Bold Commerce",
"domains": [
"trust.boldcommerce.com",
"boldcommerce.com"
]
} |
| trust_center | {
"id": "tc_0af19b729e317e0d",
"name": "Bold Commerce",
"url": "https://trust.boldcommerce.com",
"host": "trust.boldcommerce.com"
} |
| provider | {
"id": "safebase",
"name": "SafeBase"
} |
| links | {
"self": "/v1/security-updates/upd_287e36d04d84c4e6",
"company": "/v1/companies/org_cd8cc3da48919d07",
"trust_center": "/v1/trust-centers/tc_0af19b729e317e0d",
"provider": "/v1/providers/safebase"
} |
Get this page with API
Rendered from the bluedoor Trust Centers API. Reproduce it:
GET https://api.bluedoor.sh/trust-centers/v1/security-updates/upd_287e36d04d84c4e6JSON