{"id":"CVE-2024-7524","details":"Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection.  On a site protected by Content Security Policy in \"strict-dynamic\" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox \u003c 129, Firefox ESR \u003c 115.14, and Firefox ESR \u003c 128.1.","modified":"2026-03-09T23:56:22.811780Z","published":"2024-08-06T13:15:57.357Z","related":["ALSA-2024:5322","ALSA-2024:5391","CGA-pmxj-7jmm-rfq9","MGASA-2024-0325","MGASA-2024-0332","MGASA-2024-0334","SUSE-SU-2024:2876-1","SUSE-SU-2024:3003-1","openSUSE-SU-2024:14260-1","openSUSE-SU-2024:14572-1"],"references":[{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2024-33/"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2024-34/"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2024-35/"},{"type":"REPORT","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1909241"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"129.0"}]},{"events":[{"introduced":"0"},{"fixed":"115.14"}]},{"events":[{"introduced":"116.0"},{"fixed":"128.1"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-7524.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}