Описание
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | code not present |
| esm-infra/focal | DNE | |
| focal | released | 129.0.1+build1-0ubuntu0.20.04.1 |
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-apps/noble | ignored | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | ignored | |
| noble | ignored | |
| oracular | DNE | |
| plucky | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | ignored | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | DNE | |
| noble | ignored | |
| oracular | ignored | |
| plucky | ignored | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-apps/bionic | needs-triage | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | DNE | |
| noble | DNE | |
| oracular | DNE | |
| plucky | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-apps/focal | needs-triage | |
| esm-infra/bionic | ignored | |
| focal | ignored | |
| jammy | DNE | |
| noble | DNE | |
| oracular | DNE | |
| plucky | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra/focal | ignored | |
| focal | ignored | |
| jammy | DNE | |
| noble | DNE | |
| oracular | DNE | |
| plucky | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-apps/jammy | needs-triage | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | ignored | |
| noble | DNE | |
| oracular | DNE | |
| plucky | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | ignored | |
| noble | DNE | |
| oracular | DNE | |
| plucky | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | code not present |
| esm-infra/focal | DNE | |
| focal | not-affected | |
| jammy | not-affected | |
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | needs-triage |
Показывать по
Ссылки на источники
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Firefox adds web-compatibility shims in place of some tracking scripts ...
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Уязвимость компонента Content Security Policy браузеров Firefox, Firefox ESR, позволяющая нарушителю осуществлять межсайтовые сценарные атаки
EPSS
6.1 Medium
CVSS3