CVE-2020-6808: 
NixOS vulnerability analysis and mitigation

CVE-2020-6808 is a URL spoofing vulnerability discovered in Mozilla Firefox versions prior to 74. The vulnerability was reported by Abdulrahman Alqabandi and disclosed on March 10, 2020. The issue affected how Firefox handled JavaScript URLs (javascript:) when evaluating and presenting HTML documents (Mozilla Advisory, NVD).

When a JavaScript URL (javascript:) was evaluated and the result was a string, this string would be parsed to create an HTML document. The vulnerability arose because the document's URL (as reported by the document.location property) was incorrectly set to the originating javascript: URL instead of the URL of the originating document. This implementation flaw could lead to URL spoofing attacks. The vulnerability received a CVSS v3.1 base score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

The vulnerability could allow attackers to conduct URL spoofing attacks by manipulating how the browser displayed the document's URL. This could potentially mislead users about the actual origin of the webpage they were viewing. The impact was rated as moderate because while it could be used for spoofing attacks, it required user interaction and had limitations in terms of what could be spoofed (Mozilla Advisory).

The vulnerability was fixed in Firefox 74, released on March 10, 2020. The fix ensures that the document's URL is correctly set to the URL of the originating document rather than the javascript: URL. Users were advised to upgrade to Firefox 74 or later versions to receive the security fix (Mozilla Advisory).