### [CVE-2024-7524](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7524)
![](https://img.shields.io/static/v1?label=Product&message=Firefox%20ESR&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Firefox&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20115.14%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20129%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CSP%20strict-dynamic%20bypass%20using%20web-compatibility%20shims&color=brighgreen)

### Description

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection.  On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds