I have an application that uses CDNs for jQuery and other libraries. Some pages have URLs that contain slugs with possibly personally identifiable information, for example the URL:
https://mycompany.com/myapp/people/123/kilgore-trout
contains a person's database ID and a slugged version of their name. This may be a confidentiality risk because the URL is sent to the CDN in the request's referer header.
Is this a legitimate concern? If so, is there anything I can do besides not use CDNs?
Your concern is right. Client's browser will be leak your query string or url when it try to reach images or external javascript files.
Mitigate can be done via following meta tag.
<meta name="referrer" content="never">
When you put this meta tag into your html, browser wont leak your urls.
Further information : http://w3c.github.io/webappsec/specs/referrer-policy/