CVE-2020-6810: 
NixOS vulnerability analysis and mitigation

CVE-2020-6810 is a security vulnerability discovered in Mozilla Firefox versions prior to 74.0. The vulnerability was reported by Avi Drissman of the Chrome security team and disclosed on March 10, 2020. The issue affects Firefox's fullscreen mode functionality, where a website could manipulate popup windows to obscure important security notifications (Mozilla Advisory, NVD).

The vulnerability allows a malicious website to use a previously opened popup window to obscure the notification that indicates the browser is in fullscreen mode. This could be combined with browser chrome spoofing techniques to create a more sophisticated attack. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating that it requires user interaction but can be exploited remotely without special privileges (NVD).

If successfully exploited, this vulnerability could lead to user confusion about the current origin of the webpage, potentially enabling credential theft or other social engineering attacks. The impact is particularly concerning as it could allow attackers to bypass important security UI elements that help users identify their browsing context (Mozilla Advisory).

The vulnerability was fixed in Firefox version 74.0. The fix involves forcing the browser to exit fullscreen mode when a popup window is focused, preventing the security notification from being obscured. Users are advised to upgrade to Firefox 74.0 or later to receive the security fix (Mozilla Advisory).

The vulnerability was initially discovered during a security assessment of Chrome by Google's security team, highlighting the collaborative nature of browser security research. The fix was implemented to match similar protections already present in Chrome and Edge browsers, demonstrating a convergence on security best practices across major browsers (Threatpost).