CVE-2021-29983: 
NixOS vulnerability analysis and mitigation

Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit. This vulnerability (CVE-2021-29983) was discovered in 2021 and affected Firefox versions prior to 91. The issue was specific to Firefox for Android, with other operating systems being unaffected (Mozilla Advisory).

The vulnerability stemmed from an implementation issue where GeckoView's method called 'sendToAllChildren' was incorrectly sending events to all ancestors of the browsingContext instead of sending it to the children. When GeckoView attempted to exit fullscreen, it would try to send the 'GeckoView:DOMFullscreenExited' message to the root actor and its ancestors (which don't exist) instead of sending it to the children. The issue was resolved by using document.exitFullscreen instead of traversing the tree (Bugzilla). The vulnerability was rated with a CVSS v3.1 Base Score of 6.5 MEDIUM (NVD).

The vulnerability could be exploited to create a convincing spoof by keeping the browser stuck in fullscreen mode. When focusing on a form, the Android autocomplete would appear along with the Android status bar displayed in the top bar, making the spoof more convincing. This could potentially be used in phishing attacks where malicious pages could maintain control over the display (Bugzilla).

The vulnerability was fixed in Firefox 91 by changing the implementation to use document.exitFullscreen instead of the problematic tree traversal method. Users were advised to upgrade to Firefox 91 or later versions to receive the fix (Mozilla Advisory).