Configuration Override in helmet-csp
Versions of helmet-csp before to are vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting. Upgrade to or later. Setting the browserSniff configuration to false in vulnerable versions also mitigates the issue.