CVE-2020-26978: 
NixOS vulnerability analysis and mitigation

CVE-2020-26978 is a security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that was disclosed on December 15, 2020. The vulnerability allowed a malicious webpage to expose both internal network hosts and services running on the user's local machine by utilizing techniques built on slipstream research. This vulnerability affected Firefox versions prior to 84, Firefox ESR versions before 78.6, and Thunderbird versions before 78.6 (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impacts on both confidentiality and integrity, and no impact on availability (NVD).

When exploited, this vulnerability could allow attackers to probe and discover internal network hosts as well as detect services running on the user's local machine. This could potentially lead to network mapping and service enumeration, which could be used as reconnaissance for further attacks (Mozilla Advisory).

Mozilla addressed this vulnerability by releasing security updates in Firefox 84, Firefox ESR 78.6, and Thunderbird 78.6. Users are advised to update their software to these versions or later to protect against this vulnerability. The fix involved adding additional ports (including 1720, 1723, and 554) to the restricted ports list to prevent potential exploitation (Mozilla Advisory).