When a parent page loaded a child in an iframe with unsafe-inline
, the parent Content Security Policy could have overridden the child Content Security Policy. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Firefox | Mozilla | * | 122.0 (excluding) |
Firefox_esr | Mozilla | * | 115.7 (excluding) |
Thunderbird | Mozilla | * | 115.7 (excluding) |