Configuration for Polyfill.io Vulnerability Rules

As of June 26th, 2024, Salesforce released a security notice warning of vulnerabilities in polyfill.io’s javascript library. CodeScan has released rules to find any uses of this library in your Salesforce Org.

There are 2 new rules that you can enable for your quality profiles:

  • Avoid Script References to polyfill.io This rule checks your Lightning components and Visualforce pages for references to polyfill.io and their CDN.

  • Avoid Configuration Refences to polyfill.io This rule checks your Content Security Policies, Cross Origin Sharing settings and Remote Site Settings in Salesforcemetadata for references and whitelisting of polyfill.io

To ensure that your projects are scanning with these rules, refer to the following steps:

Note: If you are scanning from Salesforce directly using CodeScan’s built in Salesforce integration, start with step 1. Otherwise, skip to step 2.

  1. Add the metadate types for download: In the Project Settings > General Settings menu, scroll down to CodeScan Cloud Download Types:

Add three lines: CspTrustedSite, CorsWhitelistOrigin, and RemoteSiteSetting

Save your changes

  1. Add the metadata file suffixes: On the same page, scroll down to Metadata File Suffixes:

Add three lines: cspTrustedSite, corswhitelistorigin, and remoteSite

NOTE: If your project is in Source format (SF CLI), you will need to add cspTrustedSite-meta.xml, corsWhitelistOrigin-meta.xml, and remoteSite-meta.xml instead.

Save your changes

  1. Add the rules to your Quality Profile: Add the rules to your custom quality profile as outlined in our Customizing Quality Profiles article.

You’re ready to go! Run your project analysis and if any references to polyfill.io are found, a violation will be thrown on that configuration file, page or component.

Last updated