GHSA-cvw4-c69g-7v7m

Suggest an improvement
Source
https://github.com/advisories/GHSA-cvw4-c69g-7v7m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-cvw4-c69g-7v7m/GHSA-cvw4-c69g-7v7m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cvw4-c69g-7v7m
Aliases
Related
Published
2024-07-02T21:20:07Z
Modified
2024-07-05T22:04:22.612726Z
Severity
  • 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator
Summary
Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
Details

Note

On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure polyfill.io and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable.

The following sections describe this vulnerability prior to the domain level intervention, when it was still exploitable.

Impact

fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard.

On June 25th, 2024, Sansec published the following regarding the polyfill.io domain.

The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain... However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.

Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving fides.js to download and execute malicious scripts from the compromised domain.

No exploitation of fides.js via polyfill.io has been identified at this time, but other script developers who use https://cdn.polyfill.io/v2/polyfill.min.js have reported redirects to malicious websites.

Patches

The vulnerability has been patched in Fides version 2.39.1. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high.

Clients could ensure they were not affected by using a modern browser that supported the fetch standard. caniuse.com/fetch estimates that 97.52% of browser users use a browser that supports the fetch standard.

References

  • https://sansec.io/research/polyfill-supply-chain-attack
  • https://github.com/ethyca/fides/pull/5026/
  • https://fetch.spec.whatwg.org/
Database specific 
{
    "nvd_published_at": "2024-07-02T20:15:05Z",
    "cwe_ids": [
        "CWE-829"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-02T21:20:07Z"
}
References

Affected packages

PyPI / ethyca-fides

Package

Name
ethyca-fides
View open source insights on deps.dev
Purl
pkg:pypi/ethyca-fides

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.39.1

Affected versions

1.*

1.9.9

2.*

2.0.0
2.1.0
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.4.0
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.8.3
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1b2
2.10.1b3
2.11.0
2.11.1b0
2.11.1b1
2.11.1b2
2.11.1b3
2.11.1b4
2.11.1b5
2.11.1b6
2.12.0
2.12.1b0
2.12.1b1
2.12.1b2
2.12.1b3
2.12.1b4
2.12.1
2.12.2b0
2.12.2b1
2.12.2b2
2.13.0
2.13.1b0
2.13.1b1
2.13.1b2
2.14.0
2.14.1b0
2.14.1b1
2.14.1b2
2.14.1
2.14.2b0
2.14.2
2.14.3b0
2.15.0
2.15.1b0
2.15.1b1
2.15.1
2.15.2b0
2.16.0
2.16.1b0
2.16.1b1
2.17.0
2.17.1b0
2.17.1
2.18.0
2.18.1b0
2.18.1b1
2.18.1b2
2.18.1b4
2.18.1b5
2.18.1b6
2.18.1b7
2.19.0rc6
2.19.0rc7
2.19.0rc8
2.19.0rc10
2.19.0
2.19.1b0
2.19.1rc1
2.19.1rc2
2.19.1
2.19.2b0
2.19.2b1
2.19.2b2
2.20.0rc0
2.20.0rc1
2.20.0rc2
2.20.0rc3
2.20.0rc4
2.20.0rc5
2.20.0rc6
2.20.0rc7
2.20.0
2.20.1b0
2.20.1b1
2.20.1b2
2.20.1b3
2.20.1rc0
2.20.1
2.20.2b0
2.20.2rc0
2.20.2
2.20.3b0
2.20.3b1
2.20.3b2
2.21.0rc0
2.21.0rc1
2.21.0rc2
2.21.0rc3
2.21.0rc4
2.21.0rc5
2.21.0
2.21.1b0
2.21.1b2
2.21.1b3
2.22.0rc0
2.22.0rc1
2.22.0rc2
2.22.0rc3
2.22.0rc4
2.22.0rc5
2.22.0
2.22.1b0
2.22.1b1
2.22.1b2
2.22.1b3
2.22.1rc0
2.22.1rc1
2.22.1
2.22.2b0
2.22.2b1
2.22.2b2
2.22.2b3
2.23.0rc0
2.23.0rc1
2.23.0rc2
2.23.0rc3
2.23.0rc4
2.23.0rc5
2.23.0rc6
2.23.0rc7
2.23.0
2.23.1b0
2.23.1rc0
2.23.1
2.23.2b0
2.23.2
2.23.3b0
2.23.3b1
2.23.3b3
2.23.3rc0
2.23.3rc1
2.23.3rc2
2.23.3
2.24.0rc0
2.24.0rc2
2.24.0rc3
2.24.0rc4
2.24.0rc5
2.24.0rc6
2.24.0rc7
2.24.0rc8
2.24.0rc9
2.24.0
2.24.1b0
2.24.1b1
2.24.1rc0
2.24.1rc1
2.24.1
2.24.2b0
2.24.2b1
2.25.0rc0
2.25.0
2.25.1b0
2.25.1b1
2.25.1b2
2.25.1b3
2.25.1b4
2.26.0rc0
2.26.0rc1
2.26.0rc2
2.26.0rc3
2.26.0rc4
2.26.0rc5
2.26.0rc6
2.26.0rc7
2.26.0rc8
2.26.0rc9
2.26.0
2.26.1b0
2.26.1b1
2.26.3
2.27.0rc0
2.27.0rc1
2.27.0rc2
2.27.0rc3
2.27.0rc4
2.27.0rc5
2.27.0rc6
2.27.0rc7
2.27.0rc8
2.27.0rc9
2.27.0
2.27.1b0
2.27.1b1
2.28.0rc0
2.28.0rc1
2.28.0rc2
2.28.0rc3
2.28.0rc4
2.28.0rc5
2.28.0
2.28.1a5
2.28.1b0
2.28.1b1
2.29.0rc0
2.29.0rc1
2.29.0rc2
2.29.0rc3
2.29.0rc4
2.29.0
2.29.1b0
2.29.1b1
2.30.0rc0
2.30.0rc1
2.30.0rc2
2.30.0
2.30.1b0
2.30.1rc0
2.30.1
2.30.2b0
2.30.2b1
2.31.0rc0
2.31.0rc1
2.31.0rc2
2.31.0rc3
2.31.0
2.31.1b0
2.31.1b2
2.32.0rc0
2.32.0rc1
2.32.0rc2
2.32.0rc3
2.32.0
2.32.1b1
2.32.1b2
2.33.0rc0
2.33.0rc1
2.33.0rc2
2.33.0rc3
2.33.0
2.33.1b0
2.33.1rc0
2.33.1
2.33.2a0
2.33.2b0
2.34.0rc0
2.34.0rc1
2.34.0rc2
2.34.0rc3
2.34.0rc4
2.34.0rc5
2.34.0
2.34.1a0
2.34.1b0
2.34.1rc1
2.34.2b0
2.34.2b1
2.34.2b2
2.34.2b3
2.35.0rc0
2.35.0rc1
2.35.0rc2
2.35.0
2.35.1rc0
2.35.1
2.35.2b0
2.35.2b1
2.36.0rc0
2.36.0rc1
2.36.0
2.36.1a0
2.36.1b0
2.36.1rc1
2.36.1rc2
2.36.1rc3
2.36.1rc4
2.36.2b0
2.36.2b1
2.36.2b2
2.36.2b3
2.36.2b4
2.36.2b5
2.37.0rc0
2.37.0rc1
2.37.0rc2
2.37.0rc3
2.37.0rc4
2.37.0
2.37.1b0
2.37.1b1
2.37.1b2
2.37.1b3
2.37.1b4
2.38.0rc0
2.38.0rc1
2.38.0
2.38.1b0
2.38.1b1
2.38.1rc0
2.38.1rc1
2.38.1
2.38.2b0
2.38.2b1
2.38.2b2
2.39.0rc0
2.39.0rc1
2.39.0rc2
2.39.0
2.39.1b0
2.39.1rc0