CVE-2022-28286: 
NixOS vulnerability analysis and mitigation

CVE-2022-28286 is a layout vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that was disclosed on April 5, 2022. The vulnerability affects Firefox versions prior to 99.0, Firefox ESR versions before 91.8, and Thunderbird versions before 91.8. Due to a layout change, iframe contents could be rendered outside of its border, potentially leading to user confusion or spoofing attacks (Mozilla Advisory, NVD).

The vulnerability is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames). It received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The issue occurs when a table header cell has stacking context inducing properties, causing its column and column group backgrounds to be incorrectly clipped. This could allow content to be rendered beyond the iframe's intended boundaries (NVD, Mozilla Bug).

The vulnerability could lead to user confusion and potential spoofing attacks. When exploited, an attacker could use CSS background-image in the 'colgroup' element to cover and replace web contents with their own image, positioning it using CSS width, height, left, and top properties on the table element. This could potentially be used to obscure legitimate content or create misleading visual presentations (Mozilla Bug).

The vulnerability was fixed in Firefox 99.0, Firefox ESR 91.8, and Thunderbird 91.8. The fix involved setting proper clipping on background items for table columns and column groups when the table cell has captured clip (Mozilla Advisory, Mozilla Bug).