CVE-2021-29953: 
NixOS vulnerability analysis and mitigation

CVE-2021-29953 is a Universal Cross-Site Scripting (XSS) vulnerability discovered in Firefox for Android. The vulnerability was disclosed on May 5, 2021, affecting Firefox for Android versions prior to 88.1.3. This security flaw allowed a malicious webpage to execute attacker-controlled JavaScript in the context of another domain through manipulation of pop-up prompts (Mozilla Advisory, NVD).

The vulnerability exploits a flaw in Firefox for Android's handling of pop-up prompts when window.open() is called multiple times. The issue occurs because the browser allows pop-up prompts to stack, and on navigation, only one such prompt is removed. An attacker could produce multiple prompts and navigate elsewhere, leaving one prompt remaining. If a user accepts the pop-up containing a javascript: URI, the malicious code could gain full access to the 'opener' page. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, Mozilla Bug).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of any domain, potentially leading to theft of sensitive information, session hijacking, or other malicious actions. The attack requires user interaction to accept the pop-up prompt, but could be made more likely to succeed by creating numerous prompts that might force users to accept in an attempt to unlock the UI (Mozilla Bug).

Mozilla addressed this vulnerability in Firefox for Android version 88.1.3. Users should update their Firefox for Android installations to this version or later. The fix ensures that confirming/allowing a popup after navigation results in an error and prevents the popup from being opened (Mozilla Advisory, Mozilla Bug).