SVG's <code><use></code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.
El elemento <code></code> de SVG podría haberse utilizado para cargar contenido inesperado que podría haber ejecutado un script en determinadas circunstancias. Si bien la especificación parece permitir esto, otros navegadores no lo hacen, y los desarrolladores web confiaron en esta propiedad para la seguridad de los scripts, por lo que la implementación de gecko estaba alineada con la de ellos. Esta vulnerabilidad afecta a Firefox < 99.
Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, execute script unexpectedly, obtain sensitive information, conduct spoofing attacks, or execute arbitrary code. A security issue was discovered with the sourceMapURL feature of devtools. An attacker could potentially exploit this to include local files that should have been inaccessible.
