CVE-2020-6812: 
NixOS vulnerability analysis and mitigation

CVE-2020-6812 is a privacy vulnerability discovered in Firefox and Thunderbird that affects versions prior to Firefox 74, Firefox ESR 68.6, and Thunderbird 68.6. The vulnerability was discovered by Jan-Ivar Bruaroey and disclosed on March 10, 2020. The issue allowed websites with camera or microphone permissions to access personally identifiable information through device names, specifically affecting users with AirPods connected to their systems (Mozilla Advisory).

The vulnerability stems from the way Firefox and Thunderbird handled device enumeration for audio devices. When AirPods are first connected to an iPhone, they are automatically named after the user (e.g., "Jane Doe's AirPods"). Websites with camera or microphone permissions could enumerate device names through the WebRTC API, thereby exposing the user's personal name. The vulnerability was assigned a CVSS v3.1 base score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability could lead to the disclosure of users' personal information (names) to websites that have been granted camera or microphone permissions. This privacy leak occurs specifically when users have AirPods connected to their system, as the default naming convention includes the user's name (Mozilla Advisory).

Mozilla addressed this vulnerability by implementing a special case that renames devices containing the substring 'AirPods' to simply 'AirPods', effectively removing the personally identifiable information. The fix was released in Firefox 74, Firefox ESR 68.6, and Thunderbird 68.6. Users are advised to update their software to these versions or later to protect against this privacy vulnerability (Mozilla Advisory).