AutoRABIT Engineering Blog: The Polyfill Vulnerability and Its Impact on Salesforce
By Prasanth Samudrala, AutoRABIT VP of Solutions Engineering
The reliance on polyfills to ensure compatibility with older browsers such as Internet Explorer 11 (IE11) has raised significant security concerns. A polyfill is a JavaScript code library that implements browser features that are not natively supported, allowing web applications to function across different browsers. However, these polyfills can introduce vulnerabilities, particularly in the context of complex platforms like Salesforce.
This very issue recently happened. Polyfill shared a statement with The Hacker News that said, “We detected a security issue recently that may affect websites using certain third-party libraries.” It’s been reported that more than 100,000 websites were impacted by this event.
We’ll explore these critical aspects of this vulnerability:
- What is a Polyfill?
- Impact on Salesforce
- Effect on Salesforce AppExchange
- Using CodeScan to Flag Polyfill Vulnerabilities
What is a Polyfill?
Polyfills provide modern functionalities to older browsers, enabling them to handle new JavaScript features. For instance, the includes method for strings and arrays, which is not available in IE11, can be polyfilled to ensure that applications relying on this method can still run on older browsers.
Although polyfills solve compatibility issues, they also introduce security risks. If polyfills are not implemented correctly or are outdated, they can expose applications to security vulnerabilities such as supply chain attacks.
Impact on Salesforce
Salesforce, a cloud-based software company, uses JavaScript extensively in its Visualforce and Lightning Web Components (LWC). Many Salesforce applications rely on polyfills to support users who are still on older browsers like IE11. This dependency creates a significant security risk, as demonstrated by a recent advisory from Salesforce, which highlighted the need to replace certain polyfills to mitigate vulnerabilities.
For example, polyfills are used in Salesforce to support URL constructors in IE11, which can be exploited if not properly managed. This can lead to potential security breaches in which malicious actors exploit these polyfills to execute unauthorized actions.
Effect on Salesforce AppExchange
Salesforce AppExchange hosts a plethora of third-party applications developed by independent software vendors (ISVs). These applications often use polyfills to ensure compatibility with a wide range of browsers. Popular applications like Conga, Copado, and DocuSign might also be susceptible to vulnerabilities introduced by polyfills. If these applications use outdated or insecure polyfills, they can become targets for attackers, compromising the security of the entire Salesforce environment.
Here is a simple example of a polyfill that might be used in a Salesforce application:
In Salesforce AppExchange, applications developed by various vendors might be vulnerable if they use insecure polyfills. For example, an application like DocuSign might use polyfills to ensure that its electronic signature service works across all browsers. However, if the polyfills are not updated, they could expose sensitive data to attackers. Similarly, tools like Conga and Copado, which automate document generation and DevOps processes, respectively, could also be at risk.
Using CodeScan to Flag Polyfill Vulnerabilities
CodeScan, built on SonarQube, can be an effective tool to detect and flag the use of insecure polyfills in your codebase. By creating custom rules, CodeScan can identify instances where polyfills are used and check for known vulnerabilities or outdated practices. Here’s a basic approach to creating a custom rule in CodeScan:
- Identify Polyfills: Scan the codebase for commonly used polyfills.
- Check Versions: Ensure all polyfills are up-to-date and not known to have security issues.
- Flag Insecure Uses: Create rules to flag the usage of insecure polyfills.
By integrating these checks into your CI pipeline on ARM, you can ensure that insecure polyfills are identified and addressed before they make it into production.
While the main benefit of polyfill is to enable features not available in certain browsers, this technology comes with risk. Polyfill.js is a popular open-source library that has recently been modified, now allowing for malicious code to be inserted into websites that embedded scripts from cdn[.]polyfill[.]io.
Salesforce has several components within their platform that can use scripts to reference this domain directly. CodeScan currently offers a three-layered protection system to mitigate these risks.
- First, we are scanning the configuration settings of critical Salesforce components including Salesforce Sites, Salesforce CORS (cross origin request sharing), and Salesforce CSP (content security policy) to detect if any calls are allowed to be made to polyfill.io domains.
- Second, we are scanning for references to polyfill.io domains in core Salesforce components including Visualforce, Aura, Lightning, and other web components
- We are also scanning downloaded packages from Salesforce AppExchange to detect if any calls are being made to applicable polyfill.io domains.
Final Word
While polyfills play a crucial role in maintaining compatibility across browsers, they can introduce significant security risks if not managed properly. Salesforce environments, in particular, need to be vigilant about the polyfills used. Tools like CodeScan can help mitigate these risks by identifying and flagging insecure polyfills, ensuring a more secure and robust application environment.
For more detailed guidance, refer to Salesforce’s security advisories and best practices on polyfill usage.
