An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140.
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Link | Tags |
---|---|
https://bugzilla.mozilla.org/show_bug.cgi?id=1966927 | permissions required |
https://www.mozilla.org/security/advisories/mfsa2025-51/ | vendor advisory |