CVE-2022-22761: 
NixOS vulnerability analysis and mitigation

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox versions prior to 97, Thunderbird versions prior to 91.6, and Firefox ESR versions prior to 91.6. The issue was discovered by Mart Gil Robles from FlowCrypt and was assigned CVE-2022-22761 (Mozilla Advisory).

The vulnerability stems from a limitation in Firefox's implementation where frame-ancestor checks were intentionally limited to HTTP channels, excluding extension pages. This meant that web-accessible extension pages could not properly enforce frame-ancestor restrictions specified in their Content Security Policy (CSP), potentially exposing them to unauthorized framing. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow malicious websites to frame extension pages in ways that should have been prevented by the extension's CSP frame-ancestors directive. This could potentially expose extension content to clickjacking attacks, where users might unknowingly interact with the framed extension content (Mozilla Bug).

The vulnerability was fixed in Firefox 97, Firefox ESR 91.6, and Thunderbird 91.6. Users should update to these versions or later to receive the fix. The patch implements proper frame-ancestors CSP directive support for web-accessible extension resources (Mozilla Advisory).