I am using Content Security Policy (CSP) rules in my code to defend against XSS attacks. Here are the CSP rules I have implemented using Helmet:

.use(
 helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: [
      "'self'",
      "use.fontawesome.com",
      "ajax.googleapis.com",
      "cdnjs.cloudflare.com",
    ],
  },
})
)

Despite these measures, suppose an attacker is faced with an input field in the application. The CSP rules prevent simple script injections like

<script>alert(1)</script>

Given these restrictions, how could an attacker potentially bypass the given CSP rules and still execute a script? What specific approach or technique might they use to exploit vulnerabilities in this setup?