Summary
Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
Note
On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure polyfill.io and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable.
The following sections describe this vulnerability prior to the domain level intervention, when it was still exploitable.
Workarounds
Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high.
Clients could ensure they were not affected by using a modern browser that supported the fetch standard. caniuse.com/fetch estimates that 97.52% of browser users use a browser that supports the fetch standard.
References
Impact
fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard.
On June 25th, 2024, Sansec published the following regarding the polyfill.io domain.
The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain... However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.
Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving fides.js to download and execute malicious scripts from the compromised domain.
No exploitation of fides.js via polyfill.io has been identified at this time, but other script developers who use https://cdn.polyfill.io/v2/polyfill.min.js have reported redirects to malicious websites.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The vulnerability has been patched in Fides version 2.39.1. Users are advised to upgrade to this version or later to secure their systems against this threat.
Frequently Asked Questions
- What is CVE-2024-38537? CVE-2024-38537 is a low-severity security vulnerability in ethyca-fides (pip), affecting versions < 2.39.1. It is fixed in 2.39.1.
- Which versions of ethyca-fides are affected by CVE-2024-38537? ethyca-fides (pip) versions < 2.39.1 is affected.
- Is there a fix for CVE-2024-38537? Yes. CVE-2024-38537 is fixed in 2.39.1. Upgrade to this version or later.
- Is CVE-2024-38537 exploitable, and should I be worried? Whether CVE-2024-38537 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-38537 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-38537? Upgrade
ethyca-fidesto 2.39.1 or later.