CVE-2024-7524

Aug. 6, 2024, 4:30 p.m.

None
No Score

Description

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

Product(s) Impacted

Product Versions
Firefox
  • ['< 129', 'ESR < 115.14', 'ESR < 128.1']

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1909241
https://www.mozilla.org/security/advisories/mfsa2024-33/
https://www.mozilla.org/security/advisories/mfsa2024-34/
https://www.mozilla.org/security/advisories/mfsa2024-35/

Tags

security@mozilla.org
2024-08-06
CVE-2024-7524

Timeline

Published: Aug. 6, 2024, 1:15 p.m.
Last Modified: Aug. 6, 2024, 4:30 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@mozilla.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.