CVE-2018-5175

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 60

Description A mechanism to bypass Content Security Policy (CSP) protections exists on sites with a "script-src" policy of 'strict-dynamic'. If a target website contains an HTML injection flaw, an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. This could allow a remote attacker to perform cross-site scripting attacks.

Recommendations For Firefox versions prior to 60, update to version 60 or later to resolve the issue. As a temporary workaround, consider restricting access to the "require.js" library in the Developer Tools to minimize the risk of exploitation. Avoid using websites with known HTML injection flaws until the issue is resolved.