CVE-2024-0747 is a vulnerability in Mozilla Firefox (versions prior to 122), Firefox ESR (prior to 115.7), and Thunderbird (prior to 115.7) that allows a bypass of the Content Security Policy (CSP) under specific conditions. CSP is a security standard designed to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by restricting the sources from which content can be loaded and executed. This vulnerability arises when a parent webpage loads a child page within an iframe and the parent’s CSP includes the 'unsafe-inline' directive. In this scenario, the parent page’s CSP can override the child page’s CSP, effectively weakening the child’s intended security restrictions. The 'unsafe-inline' directive permits the execution of inline scripts, which is generally discouraged due to the risk of injection attacks. By allowing the parent CSP to override the child’s CSP, attackers could potentially inject malicious inline scripts into the child iframe content, leading to integrity violations such as unauthorized script execution. This vulnerability is classified under CWE-693 (Protection Mechanism Failure), indicating a failure in enforcing security policies properly. The CVSS v3.1 base score is 6.5 (medium severity), with an attack vector of network (remote exploitation possible), low attack complexity, no privileges required, but requiring user interaction. The impact is primarily on integrity, with no direct confidentiality or availability impact. No known exploits are currently reported in the wild, and no official patches were linked at the time of publication, though updates to Firefox and Thunderbird beyond the affected versions are expected to address this issue.

For European organizations, this vulnerability poses a moderate risk, especially for those relying heavily on Firefox or Thunderbird for web browsing and email communication. The ability to bypass CSP can facilitate injection of malicious scripts within iframe content, potentially leading to unauthorized actions such as session hijacking, data manipulation, or execution of malicious code within the context of trusted sites. This could undermine web application security, particularly for internal portals or cloud services that embed third-party content via iframes. The impact is heightened in environments where users are targeted by phishing or social engineering attacks that lure them into interacting with maliciously crafted web pages. Since the vulnerability requires user interaction and the presence of 'unsafe-inline' in the parent CSP, organizations with strict CSP policies that avoid 'unsafe-inline' are less at risk. However, many legacy or misconfigured web applications still use 'unsafe-inline', increasing exposure. The integrity compromise could lead to data tampering or unauthorized actions without direct data leakage or service disruption. This risk is relevant for sectors with high security requirements such as finance, government, healthcare, and critical infrastructure in Europe.

European organizations should prioritize updating Firefox and Thunderbird clients to versions 122 and 115.7 or later, respectively, where this vulnerability is fixed. Web developers and security teams should audit and revise CSP implementations to avoid using the 'unsafe-inline' directive, especially in parent pages that embed iframes. Instead, they should adopt safer CSP practices such as using nonces or hashes for inline scripts and restricting script sources explicitly. Organizations should conduct security reviews of web applications that use iframes to ensure CSP policies are correctly scoped and do not allow unintended overrides. User awareness training should emphasize caution when interacting with unfamiliar web content, particularly content embedded in iframes. Network-level protections such as web filtering and intrusion detection systems can help detect and block suspicious script injection attempts. Additionally, monitoring for unusual script execution behaviors in browsers can provide early warning of exploitation attempts. Since no known exploits are reported, proactive patching and CSP hardening remain the best defenses.