CVE-2021-29965: 
NixOS vulnerability analysis and mitigation

CVE-2021-29965 is a high-impact vulnerability discovered in Firefox for Android that affects versions prior to 89.0. The vulnerability, reported by Harshit Mahendra, involves a password manager domain spoofing issue that was disclosed and fixed in June 2021. The vulnerability specifically affects the built-in password manager functionality in Firefox for Android, while other operating systems remain unaffected (Mozilla Advisory, NVD).

The vulnerability allows a malicious website to spawn an HTTP Authentication dialog that tricks the built-in password manager into suggesting passwords for the currently active website instead of the website that actually triggered the dialog. The issue stems from the password manager using the URL of the current tab instead of the URL for which the authentication dialog was intended. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability could allow an attacker to conduct domain spoofing attacks by manipulating the password manager to suggest credentials for a different domain than the one requesting authentication. This could potentially lead to users inadvertently exposing their credentials to malicious websites (Mozilla Advisory).

The vulnerability was fixed in Firefox for Android version 89.0. Users are advised to update to this version or later to receive the security patch. The fix involves modifying the AuthenticationDialogFragment to use the URL from the prompt request instead of the current page's URL (Mozilla Advisory).