CVE-2024-38537

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.39.1

Description The issue concerns the fides.js client-side script, which interacts with the consent management features of Fides. In a limited edge case, when it detects a legacy browser such as IE11 that does not support the fetch standard, fides.js uses the polyfill.io domain. This made it possible for users of legacy, pre-2017 browsers to download and execute malicious scripts from the polyfill.io domain when it was compromised and serving malware. No exploitation of fides.js via polyfill.io has been identified. The estimated number of potentially affected devices is not explicitly mentioned, but it is noted that 97.52% of browser users use a browser that supports the fetch standard.

Recommendations For Fides versions prior to 2.39.1, upgrade to version 2.39.1 or later to secure systems against this threat. As a temporary workaround, consider using a modern browser that supports the fetch standard to minimize the risk of exploitation.