CVE-2022-1802: 
NixOS vulnerability analysis and mitigation

CVE-2022-1802 is a critical security vulnerability discovered in Firefox browsers and Thunderbird that was disclosed on May 20, 2022. The vulnerability affects Firefox versions prior to 100.0.2, Firefox ESR versions before 91.9.1, Firefox for Android versions before 100.3.0, and Thunderbird versions before 91.9.1. It was discovered by Manfred Paul through Trend Micro's Zero Day Initiative (Mozilla Advisory).

The vulnerability is a prototype pollution issue in the Top-Level Await implementation of Firefox's JavaScript engine. The flaw allows an attacker to corrupt the methods of an Array object in JavaScript through prototype pollution. This vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High), with attack vector being Network, attack complexity Low, requiring no privileges but user interaction, with unchanged scope and High impact on confidentiality, integrity, and availability (Ubuntu Security).

If successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in a privileged context. This means attackers could potentially gain elevated privileges and execute malicious code with browser-level permissions (Mozilla Advisory).

Mozilla has released patches for all affected versions. Users should upgrade to Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3.0, or Thunderbird 91.9.1 or later versions. The fix involves making notification code use Object.create to prevent prototype pollution (Mozilla Advisory).