CVE-2024-7524 Information

Description

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in \strict-dynamic\ mode an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129 Firefox ESR < 115.14 and Firefox ESR < 128.1.

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1909241 https://www.mozilla.org/security/advisories/mfsa2024-33/ https://www.mozilla.org/security/advisories/mfsa2024-34/ https://www.mozilla.org/security/advisories/mfsa2024-35/