CVE-2021-23996: 
NixOS vulnerability analysis and mitigation

CVE-2021-23996 is a high-impact security vulnerability discovered in Firefox that was disclosed on April 19, 2021. The vulnerability allowed content to be rendered outside of the webpage's viewport through the exploitation of 3D CSS in conjunction with JavaScript. This security flaw was fixed in Firefox version 88 (Mozilla Advisory).

The vulnerability was introduced through a change in the WebRender component of Firefox, specifically related to the flattening of transform matrices. The issue occurred when utilizing 3D CSS transformations, where certain elements could bypass normal viewport boundaries and appear above Firefox's user interface elements. The bug was confirmed to affect Firefox 87.0 and Firefox 89, but did not affect ESR-78 versions (Bugzilla).

This vulnerability could be exploited to create spoofing attacks that could be used for phishing or other malicious activities. Specifically, attackers could render arbitrary content above Firefox's user interface elements, including the address bar and tab bar, potentially misleading users about the origin and security of the webpage they were viewing (Mozilla Advisory).

The vulnerability was fixed in Firefox 88 through a patch that corrected the handling of 3D CSS transformations and clipping boundaries. Users were advised to update to Firefox 88 or later versions to receive the security fix. The fix was also backported to Firefox 88.0.6 (Ubuntu Notice).