# Configuration for Polyfill.io Vulnerability Rules

As of June 26th, 2024, Salesforce released [a security notice warning of vulnerabilities in polyfill.io’s javascript library](https://status.salesforce.com/generalmessages/1391). CodeScan has released rules to find any uses of this library in your Salesforce Org. 

There are 2 new rules that you can enable for your quality profiles: 

* **Avoid Script References to polyfill.io** \
  This rule checks your Lightning components and Visualforce pages for references to polyfill.io and their CDN. <br>
* **Avoid Configuration Refences to polyfill.io** \
  This rule checks your Content Security Policies, Cross Origin Sharing settings and Remote Site Settings in Salesforce metadata for references and whitelisting of polyfill.io.

To ensure that your projects are scanning with these rules, refer to the following steps:&#x20;

**Note**: If you are scanning from Salesforce directly using CodeScan’s built-in Salesforce integration, start with step 1. Otherwise, skip to step 2.&#x20;

1. **Add the metadate types for download:**\
   In the Project Settings > General Settings menu, scroll down to CodeScan Cloud Download Types:

<figure><img src="/files/F4T0QAl8bOjOzlPBZp3k" alt="" width="563"><figcaption></figcaption></figure>

Add three lines: CspTrustedSite, CorsWhitelistOrigin, and RemoteSiteSetting

<figure><img src="/files/8dQt6NE1OYR82ZswX96d" alt="" width="563"><figcaption></figcaption></figure>

**Save** your changes.

2. **Add the metadata file suffixes:**\
   On the same page, scroll down to Metadata File Suffixes:

<figure><img src="/files/lpknqUvQtUyAkqCXKCmx" alt="" width="563"><figcaption></figcaption></figure>

Add three lines: cspTrustedSite, corswhitelistorigin, and remoteSite

**NOTE: If your project is in Source format (SF CLI), you will need to add cspTrustedSite-meta.xml, corsWhitelistOrigin-meta.xml, and remoteSite-meta.xml instead.**

<figure><img src="/files/TZZrWaw3b7LiHO7ZSABE" alt="" width="563"><figcaption></figcaption></figure>

**Save** your changes.

3. **Add the rules to your Quality Profile:** \
   Add the rules to your custom quality profile as outlined in our [Customizing Quality Profiles](https://knowledgebase.autorabit.com/product-guides/codescan/quality-profiles/customizing-quality-profiles) article.&#x20;

&#x20;You’re ready to go! Run your project analysis, and if any references to polyfill.io are found, a violation will be thrown on that configuration file, page, or component.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://knowledgebase.autorabit.com/product-guides/codescan/quality-rules/configuration-for-polyfill.io-vulnerability-rules.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.