CVE-2024-7524: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content...
Description
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Classification
CVE ID: CVE-2024-7524
Problem Types
CSP strict-dynamic bypass using web-compatibility shimsAffected Products
Vendor: Mozilla, Mozilla, Mozilla
Product: Firefox, Firefox ESR, Firefox ESR
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.2% (probability of being exploited)
EPSS Percentile: 43.01% (scored less or equal to compared to others)
EPSS Date: 2025-04-23 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-7524https://bugzilla.mozilla.org/show_bug.cgi?id=1909241
https://www.mozilla.org/security/advisories/mfsa2024-33/
https://www.mozilla.org/security/advisories/mfsa2024-34/
https://www.mozilla.org/security/advisories/mfsa2024-35/