Trendemon Tag Security Hardening

Last updated: December 7th 2025

Overview

On December 5th 2025, an independent security researcher notified us via LinkedIn about a potential security vulnerability related to the Trendemon website tag.

We have no evidence that any customer or partner account was compromised, and no malicious use of Trendemon’s infrastructure has been identified. However, we treat any potential security issue with the highest priority.

Within an hour of being notified, we removed a legacy third party library from our tag. We are also using this as an opportunity to run a focused Tag Security Hardening effort to improve our overall security posture and make the tag’s behavior even more transparent and predictable.

Security and transparency are core values at Trendemon. Putting customers and partners first means:

• responding quickly when concerns are raised
• tightening any legacy patterns that increase risk
• clearly explaining what changed and when
  
  

This document summarizes:

1. What was reported
2. What we have already changed
3. What we are now rolling out (including deprecating eval-based functions within the next 72 hours)
   
   

1. Summary of the reported issues

 

The researcher’s review of the Trendemon tag highlighted three main areas of concern:

1. Legacy third party library

• • The tag was loading a legacy third party library (polyfill-style dependency) that has since been flagged as a supply chain risk in the broader web ecosystem.

2. Dynamic code execution / eval usage

• Certain advanced/legacy integration paths in the tag used dynamic code execution patterns (for example, via eval or similar constructs) to support flexible custom actions and integrations.

• While these were product features and not malware, such patterns increase risk and make it harder for customer security teams to reason about the exact behavior of the tag.

3. Cookie and integration behavior

• • The researcher raised concerns about:
    • how marketing-automation-related identifiers were read and sent to Trendemon as part of identity pairing integrations, and
    • cookie lifetimes, including reports of very long-lived cookies.
      
      

In all cases, the reported behavior related to features of the platform, not an identified external compromise of Trendemon or a known breach of customer systems. Nonetheless, we are tightening these areas to align with modern security best practices and our own standards.

 

2. Actions already completed

 

2.1 Removal of legacy third party library

• Within an hour of receiving the report, we removed the legacy third party library from:
  
  • the Trendemon core tag

• • any dependent components in our platform

• Updated builds of the tag were deployed so that this library is no longer loaded on customer or partner sites.
  
  

2.2 Initial review and validation

• We conducted an initial review of:
  
  • tag loading behavior

• • marketing automation integration paths

• • cookie creation and lifetimes
• As of this review, we have no indication of malicious activity or unauthorized access via the Trendemon tag.
• We confirmed that the tag’s behavior is consistent with Trendemon’s documented purpose as a personalization and journey analytics platform, while identifying legacy patterns that we are now hardening or deprecating.
  
  

2.3 Documentation and transparency

• This Tag Security Hardening document has been created to describe:
  
  • what was reported

• • what has changed

• • and what will change in the coming days
• We are aligning our public documentation with the current behavior of the tag and will clearly note the date and nature of changes.

3. Changes being rolled out now (next 72 hours)

 

Over the next 72 hours we are deploying a focused set of changes to the Trendemon tag and related services to substantially reduce risk and increase clarity.

3.1 Deprecation of eval-based dynamic execution

What is changing

• We are deprecating and removing all eval-based dynamic execution paths from the Trendemon tag.
• This includes legacy/advanced integration mechanisms that allowed arbitrary JavaScript to be executed via tag configuration (for example, via “generic script component” behavior).
  
  

What replaces it

• Where functionality is still needed, we are moving to a declarative, whitelisted model, such as:
  
  • explicit, predefined actions (e.g., show/hide elements, change content, trigger events),

• • clearly defined integration modules, instead of arbitrary scripts.
• Any integration that cannot be supported safely under this model will be disabled or redesigned.

Why this matters

• Removing eval and similar patterns:
  
  • significantly raises the bar against misuse or compromise,

• • simplifies review for customer security teams,

• • and aligns the tag with modern Content-Security-Policy (CSP) expectations.
    
    

3.2 Hardening marketing automation integrations

What is changing

• We are tightening marketing automation (MA) integrations so that:
  
  • They are only active when explicitly enabled by the customer in their account configuration.

• • Their behavior (including what identifiers are read and how they are used) is narrowly scoped and documented.
    
    

Key points

• Trendemon does not use MA identifiers to log into or impersonate customer marketing platforms.
• Integrations are used for identity pairing and attribution within Trendemon, and we are making that behavior:
  
  • more conservative

• • more transparent

• • and easier to audit
    
    

3.3 Cookie behavior and retention

What is changing

• We are reviewing all tag-related cookies to ensure:
  
  • names, purposes, and lifetimes match our documentation

• • expirations are within reasonable, documented ranges (no “year 9999” style anomalies)

• • retention aligns with customer policies and regulatory expectations
    
    

Outcome

• A cleaned-up, clearly documented set of cookies with:
  
  • defined purposes

• • defined retention

• • and tight alignment between documentation and actual behavior
    
    

3.4 Logging and observability improvements

What is changing

• We are improving logging around:
  
  • which integrations are active for which accounts

• • how often sensitive integration paths are invoked
    
    

Why this matters

• This allows us to:
  
  • respond faster and more accurately to future security questions

• • provide more precise impact analysis for specific customers or partners if needed
    
    
    

4. Longer-term hardening and governance

 

Beyond the immediate 72-hour changes, we are:

• Evaluating additional architectural simplifications of the tag to further reduce attack surface.
• Considering an external security review of the updated tag and key integration paths.
• Formalizing our vulnerability disclosure process and incorporating security review gates for any changes that affect:
  
  • cookie handling

• • integrations with third party systems

• • dynamic code execution or tag behavior on customer sites

 

5. How this affects customers and partners

 

For most customers and partners, these changes will be silent improvements:

• The purpose of Trendemon (personalization and journey analytics) remains the same.
• The tag will behave in a more predictable and security-conscious way.
• Advanced/legacy features that depended on eval or overly flexible scripting may be:
  
  • redesigned, or

• • turned off if they cannot be made safe.
    
    

Where a specific configuration or integration is impacted:

• Our Customer Success team will proactively reach out to discuss alternatives and ensure continuity where needed.

6. Key talking points for customer-facing teams

 

When discussing this with customers or partners, please align on the following points:

1. What happened
   
   
   • A security researcher reported a potential vulnerability related to our website tag.
     
     
   • There is no evidence of any account or data compromise, but we treated the report as a serious incident.
     
     
2. Immediate remediation
   
   
   • Within an hour of receiving the report, we removed a legacy third party library from our tag and platform.
     
     
   • We initiated a focused Tag Security Hardening effort.
     
     
3. What has already changed
   
   
   • The legacy library is no longer loaded anywhere by the Trendemon tag.
     
     
   • We’ve completed an initial review of tag behavior, integrations, and cookies.
     
     
   • We created this Tag Security Hardening document to clearly explain actions taken.
     
     
4. What is now being rolled out (next 72 hours)
   
   
   • Deprecation and removal of eval-based dynamic execution from the tag.
     
     
   • Hardening of marketing automation integrations so they are tightly scoped, explicitly opt-in, and fully documented.
     
     
   • Normalization of cookie lifetimes and behavior to align with documentation and customer policies.
     
     
   • Improved logging and observability around integration usage.
     
     
5. Our priorities and values
   
   
   • The security of our customers, partners, and their users is our highest priority.
     
     
   • Transparency is a core Trendemon value: when an issue is raised, we investigate, improve, and clearly explain what changed.
     
     
6. Where to learn more
   
   
   • This document and the higher-level Tag Security Hardening – Partner and Customer Update provide written details.
     
     
   • We are happy to arrange a technical review session with customer or partner security teams to walk through the tag’s behavior and the recent changes in more depth.