CVE-2021-29974

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 90

Description The issue is related to the implementation of the HSTS (HTTP Strict Transport Security) mechanism in Mozilla Firefox, which is associated with access control weaknesses. Exploitation of this issue may allow a remote attacker to bypass protection mechanisms. When network partitioning is enabled, such as through Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain that had specified HSTS, which should not be override-able. However, this issue does not affect network connections, as they are correctly upgraded to HTTPS automatically.

Recommendations For versions prior to 90, update to version 90 or later to resolve the issue. As a temporary workaround, consider disabling the Enhanced Tracking Protection settings to minimize the risk of exploitation. Restrict access to TLS error pages to prevent users from overriding HSTS errors on domains that specify this security feature.