CVE-2022-22743: 
NixOS vulnerability analysis and mitigation

CVE-2022-22743 is a security vulnerability affecting Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. The vulnerability was discovered by Irvan Kurniawan and disclosed in January 2022. When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could make the browser unable to leave fullscreen mode (Mozilla Advisory).

The vulnerability is related to the browser's fullscreen state management during navigation. The issue occurs specifically when an iframe requests fullscreen access and the parent page navigates away. Before BFCache (Back-Forward Cache) was enabled for fission, the window actor would be destroyed after page navigation, triggering a cleanup of the fullscreen state. However, with BFCache enabled, the window actor might not be destroyed, leading to confusion regarding the fullscreen state (Mozilla Bug). The vulnerability has a CVSS v3.1 base score of 4.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows an attacker to create a persistent fullscreen mode that users cannot exit normally, potentially enabling browser window spoofing attacks. This could be used to create convincing phishing attacks by preventing users from seeing the browser's normal security indicators and interface elements (Mozilla Advisory).

The vulnerability was fixed in Firefox 96, Firefox ESR 91.5, and Thunderbird 91.5. The fix involves handling the fullscreen state in a more reliable way, particularly in cases involving BFCache and navigation. Users should update to these versions or newer to protect against this vulnerability (Mozilla Advisory).