CVE-2024-7524 — Cross-site Scripting in Mozilla Firefox
Severity
6.1MEDIUMNVD
OSV6.5
EPSS
0.3%
top 46.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 6
Latest updateAug 21
Description
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages5 packages
🔴Vulnerability Details
5GHSA▶
GHSA-7m9h-4qg6-4hmh: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection↗2024-08-06
CVEList▶
CVE-2024-7524: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection↗2024-08-06
OSV▶
CVE-2024-7524: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection↗2024-08-06
📋Vendor Advisories
6Debian▶
CVE-2024-7524: firefox - Firefox adds web-compatibility shims in place of some tracking scripts blocked b...↗2024