CVE-2024-7524

2024-08-0600:00:00

ubuntu.com

firefox

cve-2024-7524

xss

dom clobbering

content security policy

tracking scripts

enhanced tracking protection

web compatibility

vulnerability

mozilla

thunderbird

snap

ubuntu 22.04

ubuntu 24.04

security fixes.

AI Score

Confidence

Low

EPSS

0.001

Percentile

21.9%

JSON

Firefox adds web-compatibility shims in place of some tracking scripts
blocked by Enhanced Tracking Protection. On a site protected by Content
Security Policy in “strict-dynamic” mode, an attacker able to inject an
HTML element could have used a DOM Clobbering attack on some of the shims
and achieved XSS, bypassing the CSP strict-dynamic protection. This
vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR
< 128.1.

Notes

Author	Note
mdeslaur	mozjs* contain a copy of the SpiderMonkey JavaScript engine. It is not feasible to backport security fixes to the mozjs* packages, as such, marking them as ignored. starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap starting with Ubuntu 24.04, the thunderbird package is just a script that installs the Thunderbird snap

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchfirefox< anyUNKNOWN
ubuntu18.04noarchmozjs38< anyUNKNOWN
ubuntu20.04noarchthunderbird< anyUNKNOWN
ubuntu22.04noarchthunderbird< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	firefox	< any	UNKNOWN
ubuntu	18.04	noarch	mozjs38	< any	UNKNOWN
ubuntu	20.04	noarch	thunderbird	< any	UNKNOWN
ubuntu	22.04	noarch	thunderbird	< any	UNKNOWN