CVE-2024-7524

Published: Aug 6, 2024

Modified: Mar 25, 2025

PUBLISHED

Description

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

Vendor	Product	Versions
Mozilla	Firefox	affected `unspecified - < 129`
Mozilla	Firefox ESR	affected `unspecified - < 115.14`
Mozilla	Firefox ESR	affected `unspecified - < 128.1`

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1909241

https://www.mozilla.org/security/advisories/mfsa2024-33/

https://www.mozilla.org/security/advisories/mfsa2024-34/

https://www.mozilla.org/security/advisories/mfsa2024-35/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-7524

Description

Affected Products

References