CVE-2021-29944: 
NixOS vulnerability analysis and mitigation

CVE-2021-29944 is a security vulnerability discovered in Firefox for Android's Reader View feature. The vulnerability was reported by Wladimir Palant working with Include Security and was fixed in Firefox version 88, released on April 19, 2021. The issue specifically affected only Firefox for Android, with other operating systems being unaffected (Mozilla Advisory).

The vulnerability stemmed from a lack of proper escaping in the Reader View feature, which allowed HTML injection when a webpage was viewed in Reader View. While a Content Security Policy (CSP) was in place that prevented direct code execution, HTML injection remained possible. The vulnerability was assigned a CVSS 3.1 Base Score of 6.1 (MEDIUM) and a CVSS 2.0 Base Score of 4.3 (MEDIUM) (NVD).

The vulnerability allowed for HTML injection attacks when users viewed webpages in Reader View. Although the Content Security Policy prevented direct code execution, the HTML injection capability could potentially be used for phishing attacks or other malicious purposes. The impact was considered 'low' according to Mozilla's severity rating (Mozilla Advisory).

The vulnerability was fixed in Firefox version 88. The fix included implementing proper escaping mechanisms, quoting all attributes, switching to URLSearchParams instead of using encodeURIComponent/decodeURIComponent, and consolidating all escaping logic into a single function to prevent similar issues in the future (Bugzilla).