CVE-2024-7524
MEDIUMFirefox < 129 and Firefox ESR < 115.14 - Cross-Site Scripting via DOM Clobbering Bypass
Title source: llmDescription
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
References (4)
Core 4
Core References
Issue Tracking, Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1909241
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-33/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-34/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-35/
Scores
CVSS v3
6.1
EPSS
0.0030
EPSS Percentile
53.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
mozilla/firefox
< 129.0
mozilla/firefox_esr
< 115.14
Published
Aug 06, 2024
Tracked Since
Feb 18, 2026