CVE-2024-38537: Ethyca Fides XSS Vulnerability

CVE-2024-38537 Overview

CVE-2024-38537 is a supply chain vulnerability in Fides, an open-source privacy engineering platform developed by Ethyca. The vulnerability exists in fides.js, a client-side script used to interact with the consent management features of Fides. The script contained a dependency on the polyfill.io domain, which was compromised and began serving malicious scripts to users.

When fides.js detected a legacy browser (such as Internet Explorer 11) that did not support the fetch standard, it would dynamically load a polyfill script from polyfill.io. After the domain was compromised in June 2024, this behavior created a potential attack vector where users of legacy browsers could unknowingly download and execute malicious code from the compromised domain.

Critical Impact

Users of legacy pre-2017 browsers navigating to pages serving fides.js could have malicious scripts downloaded and executed from the compromised polyfill.io domain, potentially leading to complete compromise of confidentiality, integrity, and availability.

Affected Products

• Ethyca Fides versions prior to 2.39.1
• Websites using fides.js client-side script with legacy browser support
• Applications integrating Fides consent management features

Discovery Timeline

• 2024-06-27 - Cloudflare and Namecheap intervened at the domain level to prevent polyfill.io from resolving to the compromised service
• 2024-07-02 - CVE-2024-38537 published to NVD
• 2025-09-02 - Last updated in NVD database

Technical Details for CVE-2024-38537

Vulnerability Analysis

This vulnerability represents a classic supply chain attack vector through third-party JavaScript dependencies. The fides.js script included conditional logic to detect legacy browsers that lacked native support for the Fetch API. When such browsers were detected, the script would dynamically inject a <script> element referencing the polyfill.io CDN to provide Fetch API compatibility.

The core issue stems from CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), where the application trusted an external domain to serve benign code. When polyfill.io was acquired by a malicious actor and began serving compromised scripts, any legacy browser user visiting a Fides-enabled page became a potential victim.

The attack required no user interaction beyond visiting a page that loaded fides.js. Once the malicious script was executed in the user's browser context, attackers could potentially steal cookies, credentials, inject content, or redirect users to malicious sites.

Root Cause

The root cause is the inclusion of an external third-party script from an untrusted domain (polyfill.io) without proper integrity verification. The dynamic script injection lacked Subresource Integrity (SRI) checks, meaning the client browser had no way to verify that the loaded script matched an expected hash. When the polyfill.io domain was compromised in the broader supply chain attack documented by Sansec Research, all consumers of the service became vulnerable.

Attack Vector

The attack exploits the network-based delivery of JavaScript to legacy browsers. The exploitation flow is as follows:

1. A user with a legacy browser (IE11 or similar pre-2017 browser) navigates to a webpage with Fides consent management
2. The fides.js script detects the browser lacks native Fetch API support
3. The script dynamically creates a script element pointing to https://polyfill.io/v3/polyfill.min.js?features=fetch
4. The compromised polyfill.io domain serves malicious JavaScript instead of the legitimate polyfill
5. The malicious script executes in the user's browser context with full access to the page

The following code shows the vulnerable implementation that was patched:

 
   const script = `
   (function () {
-    // This polyfill service adds a fetch polyfill only when needed, depending on browser making the request
-    if (!window.fetch) {
-      var script = document.createElement('script');
-      script.src = 'https://polyfill.io/v3/polyfill.min.js?features=fetch';
-      document.head.appendChild(script);
-    }
-
     // Include generic fides.js script and GPP extension (if enabled)
     ${fidesJS}${fidesGPP}${
     customFidesCss

Source: GitHub Commit Reference

Detection Methods for CVE-2024-38537

Indicators of Compromise

• Network connections to polyfill.io or its subdomains from web applications
• JavaScript files containing references to polyfill.io/v3/polyfill.min.js
• Browser console errors or unexpected script execution on pages using Fides consent management
• Unusual HTTP requests originating from pages with fides.js to unknown external domains

Detection Strategies

• Scan JavaScript assets for any references to polyfill.io domain strings
• Implement Content Security Policy (CSP) reporting to detect unauthorized script sources
• Monitor web application firewall (WAF) logs for connections to known compromised CDN domains
• Review browser telemetry data for script injection patterns associated with polyfill-based attacks

Monitoring Recommendations

• Enable network-level DNS monitoring to detect any resolution attempts to polyfill.io
• Configure SIEM rules to alert on JavaScript loading from CDN domains not in an approved allowlist
• Implement client-side monitoring to track dynamically injected script elements
• Audit third-party script dependencies regularly using software composition analysis (SCA) tools

How to Mitigate CVE-2024-38537

Immediate Actions Required

• Upgrade Ethyca Fides to version 2.39.1 or later immediately
• Audit all JavaScript assets for references to polyfill.io and remove them
• Implement Content Security Policy headers to restrict script sources to trusted domains
• Consider dropping support for legacy browsers that require fetch polyfills

Patch Information

The vulnerability has been patched in Fides version 2.39.1. The fix completely removes the conditional polyfill loading logic, eliminating the dependency on the polyfill.io domain. Organizations should upgrade to this version or later to remediate the vulnerability.

Relevant patch references:

• GitHub Security Advisory
• GitHub Pull Request #5026
• GitHub Commit 868c4d6

On June 27, 2024, Cloudflare and Namecheap intervened at the domain level to ensure polyfill.io could not resolve to the compromised service, rendering this specific vulnerability unexploitable even on unpatched systems.

Workarounds

• Ensure users access the application using modern browsers that support the native Fetch API (all major browsers since 2017)
• Block network connections to polyfill.io at the firewall or DNS level
• Implement CSP headers to prevent script loading from polyfill.io: script-src 'self' trusted-cdn.example.com;
• If legacy browser support is required, self-host the fetch polyfill or use a trusted alternative CDN with SRI verification

# Block polyfill.io at the DNS level using hosts file
echo "0.0.0.0 polyfill.io" >> /etc/hosts
echo "0.0.0.0 cdn.polyfill.io" >> /etc/hosts

# Example CSP header to restrict script sources (add to web server config)
# Apache: Header set Content-Security-Policy "script-src 'self';"
# Nginx: add_header Content-Security-Policy "script-src 'self';";