CVE-2021-24000: 
NixOS vulnerability analysis and mitigation

A race condition vulnerability (CVE-2021-24000) was discovered in Mozilla Firefox versions prior to 88.0. The vulnerability involved the requestPointerLock() function and setTimeout(), which could allow a user to interact with one tab while believing they were on a different tab (Mozilla Advisory).

The vulnerability stems from a race condition between requestPointerLock() and setTimeout() functions. When exploited, the pointer lock could be applied to the opener window while the focus remained on a newly opened window. This allowed the opener window to continue receiving mouse events even after the user had switched to a different tab (Mozilla Bugzilla). The vulnerability was assigned a CVSS v3.0 score of 4.3 (MEDIUM) (NVD).

When exploited, this vulnerability could lead to user confusion about the origin of the webpage, potentially resulting in users inadvertently disclosing information they did not intend to share. The vulnerability was particularly concerning when used in conjunction with certain HTML elements, as it could trick users into interacting with malicious content while believing they were on a legitimate page (Mozilla Advisory).

The vulnerability was fixed in Firefox 88.0. The fix involved rejecting pointer lock requests if the active tab had changed. Users were advised to upgrade to Firefox 88.0 or later versions to protect against this vulnerability (Ubuntu Security).