Cyber Resilience

CVE-2024-38537

Low

Published: 02 July 2024

Published
02 July 2024
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 0.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
EPSS Score 0.2223 95.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38537 is a uncategorised-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Ethyca Fides. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Fides is an open-source privacy engineering platform whose client-side consent script fides.js contained a dependency on the polyfill.io domain. The script loaded resources from that domain only in a narrow edge case when a legacy browser such as IE11 lacking native fetch support was detected, introducing an inclusion of functionality from an untrusted control sphere (CWE-829).

An attacker who had already compromised polyfill.io could therefore serve malicious JavaScript to any visitor using one of those pre-2017 browsers on a page that included fides.js, resulting in arbitrary code execution within the victim’s browser context. No evidence of such exploitation against fides.js has been observed.

The issue was corrected in Fides 2.39.1. On 27 June 2024 Cloudflare and Namecheap blocked resolution of polyfill.io and its subdomains, eliminating the attack surface for all clients regardless of browser version. Prior to that intervention the only reliable client-side mitigation was use of a modern browser that implements the fetch standard.

The associated EPSS score reached a peak of 0.2223 with no subsequent material increase.

EU & UK References

Vulnerability details

Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11…

more

that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

The vulnerability causes fides.js to dynamically load and execute JavaScript from the compromised polyfill.io domain in legacy browsers, enabling adversaries to leverage JavaScript for execution (T1059.007), perform drive-by compromises (T1189), and distribute payloads via compromised software supply chain (T1195.002).

Affected Assets

ethyca
fides
≤ 2.39.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-829

Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.

addresses: CWE-829

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

addresses: CWE-829

The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.

addresses: CWE-829

Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.

addresses: CWE-829

Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.

addresses: CWE-829

Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.

addresses: CWE-829

Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.

addresses: CWE-829

Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.

References