CVE-2021-29973: 
NixOS vulnerability analysis and mitigation

CVE-2021-29973 is a security vulnerability discovered in Firefox for Android that allowed password autofill functionality to be enabled without user interaction on insecure (HTTP) websites. The vulnerability was discovered by Wladimir Palant working with Include Security and was fixed in Firefox 90, released on July 13, 2021. This security issue specifically affected Firefox for Android, with other operating systems being unaffected (Mozilla Advisory).

The vulnerability stemmed from the 'signon.autofillForms.http' preference being set to true by default on mobile but not on desktop versions of Firefox. This configuration allowed automatic password filling on insecure HTTP websites without requiring any user interaction. The issue was assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially expose users' login credentials on insecure websites by automatically filling in passwords without user consent. This automatic filling of credentials on HTTP websites increased the risk of credential theft through man-in-the-middle attacks or other network-based attacks (Mozilla Advisory).

The vulnerability was fixed in Firefox 90 by requiring user interaction with the page before the browser's autofill functionality would enter passwords on insecure websites. Users were advised to update to Firefox 90 or later versions to receive the security fix (Mozilla Advisory).