TrenDemon is an ABM (Account-Based Marketing) content personalization platform. Critical findings include: (1) 6 eval() functions executing arbitrary JavaScript from CTA parameters enabling customer-level RCE, (2) polyfill.io supply chain vulnerability loading from COMPROMISED domain (June 2024), (3) 760-day cookie retention violating GDPR/ICO guidelines, (4) Cross-vendor Marketo cookie harvesting, (5) Base64 URL obfuscation to evade privacy tools.
This advisory exists to warn companies running TrenDemon on their sites. We do not notify vendors. We do not provide remediation windows. If you're using this vendor, this is your evidence.
What It Costs You
CAC Subsidization
Visitor data captured on a site can flow into data broker networks and identity graphs, eventually surfacing in competitor prospecting tools. The original company paid to acquire the traffic; competitors pay pennies to intercept the lead.
Signal Corruption
Overlapping tracking mechanisms corrupt attribution data. Multiple sources claim credit for single conversions. Pipeline metrics diverge from reality. Marketing decisions get made on numbers that can’t be trusted.
Legal Tail Risk
Pre-consent data collection, undisclosed data sharing, and consent signal violations create regulatory exposure. Class actions and regulatory fines can exceed entire annual marketing budgets. Liability sits with the site owner, not the vendor.
GTM Attack Surface
Third-party scripts execute with full privileges on every page load. Dangerous code patterns, external dependencies, and data interception turn marketing infrastructure into attack vectors. One compromised dependency compromises the entire site.
BTI-C: Behavioral Codes
BTSS Score Breakdown
Technical Evidence
Code Evidence
eval() arbitrary code execution in trends.min.js
$Trd_Utils.sendGa4Tracking = function(ctaParams, event, page) {
var trackingCodeToEval;
switch(event) {
case "load": trackingCodeToEval = ctaParams.CustomImpressionTrackingCode;
case "click": trackingCodeToEval = ctaParams.CustomClickTrackingCode;
}
return (trackingCodeToEval?.length) ? eval(trackingCodeToEval) : ...
}
Marketo cookie exfiltration
GET /api/experience/personal?
AccountId=2705&
ClientUrl=https://6sense.com/gartner-abm-magic-quadrant/&
MarketingAutomationCookie=id:958-TTM-744&token:_mch-6sense.com-33fe35d4df8d6e33441925452a7b0e80&
vid=2705:17648180428546372
Host: trackingapi.trendemon.com
polyfill.io supply chain vulnerability (Line 13108-13145)
t.prototype.loadPollyills = function (t) { // Note: MISSPELLED
if (Array.prototype.findIndex) t(); // Modern browser - skip
else {
var e = document.createElement("script");
e.src = "https://polyfill.io/v3/polyfill.min.js?features=...";
// LOADS FROM COMPROMISED DOMAIN ON OLDER BROWSERS (IE11, Safari <9)
}
};
Network Evidence
https://trackingapi.trendemon.com/api/settings/{accountId}Configuration fetch
https://trackingapi.trendemon.com/api/events/pageviewPage view tracking with Base64-encoded URL
https://trackingapi.trendemon.com/api/events/pagereadContent read tracking
https://trackingapi.trendemon.com/api/experience/personalPersonalization + Marketo cookie exfiltration
https://trackingapi.trendemon.com/api/experience/ace-campaignCampaign targeting
Legal Touchpoints
Storage limitation - 760-day cookie retention
No valid legal basis for cross-vendor cookie sharing
Cross-vendor data sharing may constitute 'sale' of PI
Cookie consent required before setting tracking cookies
Citation Templates
“Vendor shall not engage in behaviors classified under BTI-2025-0025 (TrenDemon), including BTI-C09 (Consent Bypass).”“BTI Advisory BTI-2025-0025 documents TrenDemon engaging in Consent Bypass (BTSS 9.5, CRITICAL).”“We have identified TrenDemon as exhibiting Consent Bypass behavior per BTI Advisory BTI-2025-0025. Full details: deployblackout.com/bti/BTI-2025-0025”