CVE-2022-28284: 
NixOS vulnerability analysis and mitigation

CVE-2022-28284 is a security vulnerability discovered in Firefox's SVG implementation that affects Firefox versions prior to 99. The vulnerability was discovered by Leo Balter and disclosed on April 5, 2022. The issue involves Firefox's handling of SVG's element, which could be exploited to load unexpected content that could execute scripts in certain circumstances (Mozilla Advisory).

The vulnerability stems from Firefox's implementation of SVG's element, where it could be used to load unexpected content through same-origin SVG files. While the SVG specification appears to allow this behavior, other browsers implement stricter controls on elements inside SVG tags. The issue specifically involves the ability to execute scripts through SVG's foreignObject with iframe elements, loaded through a same-origin SVG file. The vulnerability was rated with moderate severity (Mozilla Advisory, Bugzilla).

The vulnerability could allow attackers to bypass sandboxing frameworks and gain access to the raw document, potentially accessing sensitive information such as cookies. This could lead to unauthorized script execution and potential cross-site scripting attacks within the same origin context (Bugzilla).

The vulnerability was fixed in Firefox 99 by limiting cross-document content loadable via SVG's element. Mozilla aligned their implementation with other browsers' behavior to prevent unexpected script execution. Users should upgrade to Firefox 99 or later to receive the security fix (Mozilla Advisory, Ubuntu Notice).