CVE-2022-22746: 
NixOS vulnerability analysis and mitigation

CVE-2022-22746 is a security vulnerability discovered in Mozilla Firefox and Thunderbird that was disclosed on January 11, 2022. The vulnerability involves a race condition that could allow bypassing the fullscreen notification, potentially leading to an unnoticed fullscreen window spoof. This vulnerability specifically affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5, but only on Windows operating systems (Mozilla Advisory, NVD).

The vulnerability stems from a race condition in the Windows widget layer of Firefox and Thunderbird that incorrectly handles popup window z-ordering. When calling the reportValidity() function, a race condition could occur that allowed bypassing the fullscreen notification mechanism. The issue received a CVSS v3.1 Base Score of 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility with high attack complexity and potential for high impact on integrity (NVD).

The vulnerability could allow malicious websites to perform fullscreen window spoofing attacks without the user being notified through the normal fullscreen notification system. This could potentially be used for phishing attacks or other forms of user deception by making it difficult for users to distinguish between legitimate and spoofed fullscreen content (Mozilla Advisory).

Mozilla addressed this vulnerability in Firefox 96, Firefox ESR 91.5, and Thunderbird 91.5. The fix involved modifying how non-ePopupLevelTop popups respect owner z-order in the Windows widget implementation. Users are advised to update to these or later versions to protect against this vulnerability (Mozilla Advisory).