Fides DOM-Based Cross-Site Scripting Vulnerability in fides.js

A DOM-based cross-site scripting (XSS) vulnerability has been identified in the Fides privacy engineering platform, specifically in versions 2.33.0 prior to 2.84.5. The issue arises in the fides.js file, where client-controlled description overrides can bypass server-side sanitization when HTML-formatted descriptions are enabled. This vulnerability allows any visitor to execute arbitrary JavaScript in the context of the embedding site's origin, with potential persistence across subdomains via a crafted cookie.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the embedding site's origin, similar to the site's own scripts. This could lead to unauthorized data access, request manipulation, and content injection that appears to come from the site. The vulnerability's impact is heightened by its persistence, as a single exploitation can trigger the injected script on every subsequent consent banner render, across all subdomains, until the cookies are cleared.

Reproduction

To reproduce this vulnerability, upload a Fides experience that uses rich HTML descriptions and has the 'allowHTMLDescription' option enabled. Then, visit a page where the consent banner is loaded, and replace '<your-site>' with the site's URL. If the banner does not open automatically, click the 'Manage preferences' link to display it.

Remediation

Users are advised to upgrade to Fides version 2.84.5 or later. For Fides Enterprise users, version 2.84.6 contains the same patch. Additionally, the 'FIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION' environment variable can be set to 'false' to disable HTML descriptions and prevent the XSS vulnerability.