Name of the Vulnerable Software and Affected Versions helmet-csp versions prior to 2.9.1

Description The issue affects the application's Content Security Policy (CSP) by allowing an attacker to remove the default CSP, potentially rendering the application vulnerable to Cross-Site Scripting. This is due to the package's browser sniffing for Firefox deleting the default-src CSP policy.

Recommendations Upgrade to version 2.9.1 or later. As a temporary workaround for versions prior to 2.9.1, set the browserSniff configuration to false.