Описание
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
The Mozilla Foundation Security Advisory describes this flaw as:
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.
Отчет
Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | firefox | Out of support scope | ||
| Red Hat Enterprise Linux 6 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 7 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 8 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 9 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | firefox | Fixed | RHSA-2024:5324 | 13.08.2024 |
| Red Hat Enterprise Linux 8 | firefox | Fixed | RHSA-2024:5391 | 14.08.2024 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | firefox | Fixed | RHSA-2024:5323 | 13.08.2024 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | firefox | Fixed | RHSA-2024:5325 | 13.08.2024 |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | firefox | Fixed | RHSA-2024:5325 | 13.08.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Firefox adds web-compatibility shims in place of some tracking scripts ...
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Уязвимость компонента Content Security Policy браузеров Firefox, Firefox ESR, позволяющая нарушителю осуществлять межсайтовые сценарные атаки
EPSS
6.1 Medium
CVSS3