Vulnerability CVE-2024-7524: Information

Description

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Published: Aug. 6, 2024
Modified: Aug. 29, 2024
Error type identifier: CWE-79

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
firefoxsisyphus129.0-alt1130.0.1-alt1ALT-PU-2024-10881-1354552Fixed
firefoxsisyphus_riscv64129.0-alt0.port129.0.2-alt0.portALT-PU-2024-11099-1-Fixed
firefoxsisyphus_loongarch64129.0-alt0.port130.0-alt0.portALT-PU-2024-11145-1-Fixed
firefoxp11130.0-alt1126.0.1-alt1ALT-PU-2024-12492-4357171Testing
firefox-esrsisyphus128.1.0-alt1128.2.0-alt1ALT-PU-2024-10877-2354542Fixed
firefox-esrsisyphus_loongarch64128.1.0-alt0.port128.1.0-alt0.portALT-PU-2024-11206-1-Fixed
firefox-esrp11128.2.0-alt1115.11.0-alt1ALT-PU-2024-12493-4357171Testing

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
      End excluding
      129.0

      cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
      Start including
      116.0
      End excluding
      128.1

      cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
      End excluding
      115.14