CVE-2022-26382: 
NixOS vulnerability analysis and mitigation

CVE-2022-26382 is a security vulnerability discovered in Firefox versions prior to 98.0. The vulnerability was disclosed on March 8, 2022, affecting Mozilla Firefox's autofill functionality. While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts, making it susceptible to side-channel attacks (Mozilla Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The issue stems from the browser's handling of autofill preview text, where the text was rendered using page fonts, allowing side-channel attacks through specially crafted fonts to infer the content. The vulnerability is categorized under CWE-203 (Observable Discrepancy) (NVD).

The vulnerability could allow malicious websites to exfiltrate sensitive information from autofill tooltips, including credit card details, addresses, and other personal information through side-channel attacks. While the text couldn't be directly read by JavaScript, attackers could infer the content using specially crafted fonts, potentially compromising user privacy (Mozilla Advisory).

The vulnerability was fixed in Firefox version 98.0. The fix involved pinning the preview font to prevent websites from overriding it and implementing measures to prevent side-channel attacks through font manipulation. Users are advised to upgrade to Firefox 98.0 or later to protect against this vulnerability (Mozilla Advisory).