CVE-2024-0747: 
NixOS vulnerability analysis and mitigation

A Content Security Policy (CSP) bypass vulnerability was discovered in Mozilla Firefox, Firefox ESR, and Thunderbird, tracked as CVE-2024-0747. The vulnerability affects Firefox versions before 122, Firefox ESR versions before 115.7, and Thunderbird versions before 115.7. When a parent page loaded a child in an iframe with 'unsafe-inline', the parent Content Security Policy could override the child Content Security Policy, potentially compromising the security restrictions intended for the child frame (Mozilla Advisory).

The vulnerability stems from an incorrect implementation of Content Security Policy inheritance between parent and child documents. When using document.write() on an existing document, Firefox incorrectly treated it as if navigating to 'about:blank' and building a new document from scratch, causing the CSP inheritance to malfunction. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and requiring user interaction (NVD).

The vulnerability could allow an attacker to bypass Content Security Policy restrictions in child iframes, potentially leading to unauthorized script execution and compromising the security model of affected websites. This could result in cross-site scripting (XSS) attacks or other security policy violations in scenarios where the child frame was intended to have stricter security controls than its parent (Mozilla Advisory).

The vulnerability has been fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. Users are strongly recommended to upgrade to these or later versions. The fix involves removing incorrect CSP inheritance steps in the Document::Open implementation to ensure proper preservation of the child document's security policies (Mozilla Advisory, Debian Advisory).