Salesforce.com patched a cross-site scripting vulnerability on one of its domains that could have led to phishing attacks.