Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-38537

NONE
Published 2024-07-02T19:50:10.275Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-38537. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
0.0
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.048
probability
of exploitation in the wild

There is a 4.8% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.890
Higher than 89.0% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
NONE
Availability
NONE

Description

Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.

The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

ethyca

fides

Affected Versions:

< 2.39.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed LOW

Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js

GHSA-cvw4-c69g-7v7m

Advisory Details

### Note On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability **unexploitable**. The following sections describe this vulnerability prior to the domain level intervention, when it was still exploitable. ### Impact `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. On June 25th, 2024, Sansec published the following regarding the `polyfill.io` domain. > The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain... However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the compromised domain. No exploitation of `fides.js` via `polyfill.io` has been identified at this time, but other script developers who use `https://cdn.polyfill.io/v2/polyfill.min.js` have reported redirects to malicious websites. ### Patches The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard. caniuse.com/fetch estimates that 97.52% of browser users use a browser that supports the fetch standard. ### References - https://sansec.io/research/polyfill-supply-chain-attack - https://github.com/ethyca/fides/pull/5026/ - https://fetch.spec.whatwg.org/

Affected Packages

PyPI ethyca-fides
ECOSYSTEM: ≥0 <2.39.1

CVSS Scoring

CVSS Score

2.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

References

WEB https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-38537
WEB https://github.com/ethyca/fides/pull/5026
WEB https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005
WEB https://fetch.spec.whatwg.org
PACKAGE https://github.com/ethyca/fides
WEB https://sansec.io/research/polyfill-supply-chain-attack

Advisory provided by GitHub Security Advisory Database. Published: July 2, 2024, Modified: July 5, 2024

References

https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m
https://github.com/ethyca/fides/pull/5026
https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005
https://fetch.spec.whatwg.org
https://sansec.io/research/polyfill-supply-chain-attack
Published: 2024-07-02T19:50:10.275Z
Last Modified: 2024-08-02T04:12:24.976Z
Copied to clipboard!