firefox is vulnerable to remote code execution. An attacker who is able to inject markup into a page otherwise protected by a Content Security Policy
may be able to inject an executable script due to not implementing the unsafe-hashes CSP directive.