BTIBTI-2025-0025
CRITICALBTI-C09PUBLISHED
9.5BTSS

TrenDemon

TrenDemon ABM Platform - eval() RCE, polyfill.io Supply Chain & Cross-Vendor Cookie Harvesting

00

Summary

TrenDemon is an ABM (Account-Based Marketing) content personalization platform. Critical findings include: (1) 6 eval() functions executing arbitrary JavaScript from CTA parameters enabling customer-level RCE, (2) polyfill.io supply chain vulnerability loading from COMPROMISED domain (June 2024), (3) 760-day cookie retention violating GDPR/ICO guidelines, (4) Cross-vendor Marketo cookie harvesting, (5) Base64 URL obfuscation to evade privacy tools.

BTSS Score Breakdown

Exploitability
3.5/ 4
Data Sensitivity
2.5/ 3
Prevalence
2/ 2
Detection Difficulty
1.5/ 1

Technical Details

## eval() Arbitrary Code Execution The trends.min.js SDK contains a critical vulnerability in $Trd_Utils.sendGa4Tracking: ```javascript $Trd_Utils.sendGa4Tracking = function(ctaParams, event, page) { var trackingCodeToEval; switch(event) { case "load": trackingCodeToEval = ctaParams.CustomImpressionTrackingCode; break; case "click": trackingCodeToEval = ctaParams.CustomClickTrackingCode; break; } return (null == trackingCodeToEval ? void 0 : trackingCodeToEval.length) ? eval(trackingCodeToEval) // <-- ARBITRARY CODE EXECUTION : dataLayer.push(...) } ``` Any TrenDemon customer (or attacker compromising CTA configuration) can execute arbitrary JavaScript in visitor browsers. ## Marketo Cookie Harvesting TrenDemon reads Marketo _mkto_trk cookie, Base64-encodes it, stores as trd_ma_cookie, and transmits to trackingapi.trendemon.com/api/experience/personal. Evidence from HAR line 3206-3207: ```json { "name": "trd_ma_cookie", "value": "aWQ6OTU4LVRUTS03NDQmdG9rZW46X21jaC02c2Vuc2UuY29tLTMzZmUzNWQ0ZGY4ZDZlMzM0NDE5MjU0NTJhN2IwZTgw" } ``` Decoded: `id:958-TTM-744&token:_mch-6sense.com-33fe35d4df8d6e33441925452a7b0e80`

Code Evidence

javascripthttps://assets.trendemon.com/tag/trends.min.js

eval() arbitrary code execution in trends.min.js

$Trd_Utils.sendGa4Tracking = function(ctaParams, event, page) {
  var trackingCodeToEval;
  switch(event) {
    case "load": trackingCodeToEval = ctaParams.CustomImpressionTrackingCode;
    case "click": trackingCodeToEval = ctaParams.CustomClickTrackingCode;
  }
  return (trackingCodeToEval?.length) ? eval(trackingCodeToEval) : ...
}
httpHAR line 71875

Marketo cookie exfiltration

GET /api/experience/personal?
  AccountId=2705&
  ClientUrl=https://6sense.com/gartner-abm-magic-quadrant/&
  MarketingAutomationCookie=id:958-TTM-744&token:_mch-6sense.com-33fe35d4df8d6e33441925452a7b0e80&
  vid=2705:17648180428546372
Host: trackingapi.trendemon.com
javascripthttps://assets.trendemon.com/tag/trends.min.js

polyfill.io supply chain vulnerability (Line 13108-13145)

t.prototype.loadPollyills = function (t) {  // Note: MISSPELLED
  if (Array.prototype.findIndex) t();  // Modern browser - skip
  else {
    var e = document.createElement("script");
    e.src = "https://polyfill.io/v3/polyfill.min.js?features=...";
    // LOADS FROM COMPROMISED DOMAIN ON OLDER BROWSERS (IE11, Safari <9)
  }
};

Network Evidence

GEThttps://trackingapi.trendemon.com/api/settings/{accountId}

Configuration fetch

GEThttps://trackingapi.trendemon.com/api/events/pageview

Page view tracking with Base64-encoded URL

GEThttps://trackingapi.trendemon.com/api/events/pageread

Content read tracking

GEThttps://trackingapi.trendemon.com/api/experience/personal

Personalization + Marketo cookie exfiltration

GEThttps://trackingapi.trendemon.com/api/experience/ace-campaign

Campaign targeting

Legal Touchpoints

GDPR Art. 5(1)(e)European Union

Storage limitation - 760-day cookie retention

GDPR Art. 6European Union

No valid legal basis for cross-vendor cookie sharing

CCPA 1798.140California

Cross-vendor data sharing may constitute 'sale' of PI

ePrivacy Directive Art. 5(3)European Union

Cookie consent required before setting tracking cookies

0

References

vendorTrenDemon Website
scriptTrenDemon SDK
apiTrenDemon Settings API
Created: 2025-12-04Updated: 2025-12-04Version: 1
#eval-vulnerability#arbitrary-code-execution#cross-vendor-cookie-harvesting#extreme-cookie-lifetime#base64-obfuscation