CVE-2021-38492: 
NixOS vulnerability analysis and mitigation

CVE-2021-38492 is a security vulnerability discovered in Mozilla Firefox and Thunderbird that affects Windows systems. The vulnerability was disclosed on September 7, 2021, and involves Firefox's handling of the 'mk' URL scheme. This vulnerability affects Firefox versions prior to 92, Thunderbird versions prior to 91.1 and 78.14, Firefox ESR versions prior to 78.14 and 91.1 (Mozilla Advisory, NVD).

The vulnerability occurs when delegating navigations to the operating system, where Firefox would accept the 'mk' scheme which could allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. This security issue specifically affects Windows systems, while other operating systems remain unaffected (NVD).

The vulnerability could allow attackers to execute scripts in Internet Explorer with unprivileged mode access, potentially leading to security breaches through the browser. The impact is limited to Windows systems where both Firefox/Thunderbird and Internet Explorer are installed (Mozilla Advisory).

The vulnerability was patched in Firefox 92, Firefox ESR 78.14, Firefox ESR 91.1, Thunderbird 91.1, and Thunderbird 78.14. Users are advised to upgrade to these versions or later to mitigate the vulnerability. No workarounds were provided for affected versions (Mozilla Advisory, Gentoo Advisory).