CVE-2024-7524: 
NixOS vulnerability analysis and mitigation

CVE-2024-7524 is a security vulnerability discovered in Mozilla Firefox that affects Firefox versions prior to 129.0, Firefox ESR versions prior to 115.14, and Firefox ESR versions prior to 128.1. The vulnerability was disclosed on August 6, 2024, and was reported by security researcher Masato Kinugawa (Mozilla Advisory). The issue involves Firefox's web-compatibility shims feature, which is used to replace tracking scripts blocked by Enhanced Tracking Protection (NVD).

The vulnerability stems from Firefox's implementation of web-compatibility shims that replace tracking scripts blocked by Enhanced Tracking Protection. On sites protected by Content Security Policy (CSP) in 'strict-dynamic' mode, an attacker who could inject an HTML element could exploit a DOM Clobbering attack on these shims to achieve Cross-Site Scripting (XSS), effectively bypassing the CSP strict-dynamic protection. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The successful exploitation of this vulnerability could allow attackers to bypass Content Security Policy protections and execute cross-site scripting attacks. This could potentially lead to the execution of arbitrary JavaScript code in the context of the affected website, compromising the integrity of the web application and potentially exposing sensitive user information (Mozilla Advisory).

The vulnerability has been fixed in Firefox 129.0, Firefox ESR 115.14, and Firefox ESR 128.1. Users are strongly advised to update their Firefox installations to these versions or later to protect against this security issue. After a standard system update, Firefox needs to be restarted to apply all the necessary changes (Ubuntu Notice).