Firefox CSP script-src 'none' bypass via object tag (CVE-2019-17001)

Key Information Summary Vulnerability Description CSP script-src 'none': Allows to execute JavaScript code in Firefox, but works normally in Firefox Developer Edition. Affected Browser Versions Firefox Versions: - Firefox 68: Not affected - Firefox 69: Not affected - Firefox 70: Fixed - Firefox 71: Fixed Fix Status Status: Resolved and Fixed (RESOLVED FIXED) Fix Time: Fixed in Firefox 70 and Firefox 71 Fix Patch Related Bug: Bug 1555043 Patch fixes the issue in Firefox 70, and confirms Firefox 69 is affected, while versions 68 and earlier are unaffected; 70 and 71 are patched. Attachments and Test Cases Reports: report.zip, report-comment.zip Test Cases: testcase_default-src_'none'.html, testcase_default-src_data.html Description: Attachments include vulnerability reports, comments, and test cases demonstrating how the vulnerability can be exploited. Vulnerability Identifier CVE ID: CVE-2019-17001 Related Security Issues: Not directly linked to other CVEs, but associated with other security fixes in the Firefox engine. Notes and Discussion The reporter discovered during a CTF competition that the CSP policy could be exploited via the tag to execute JavaScript code, including stealing user cookies. Additionally, the report notes that changes in Firefox's CSP implementation structure led to this specific vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Firefox CSP script-src 'none' bypass via object tag (CVE-2019-17001)