CVE-2022-29909: 
NixOS vulnerability analysis and mitigation

CVE-2022-29909 is a high-impact security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that affects versions prior to Firefox 100, Firefox ESR 91.9, and Thunderbird 91.9. The vulnerability was discovered by security researcher Armin Ebert and disclosed in May 2022. The issue allows documents in deeply-nested cross-origin browsing contexts to obtain permissions granted to the top-level origin, effectively bypassing existing security prompts and wrongfully inheriting top-level permissions (Mozilla Advisory, NVD).

The vulnerability stems from an implementation flaw in how nested browsing contexts handle permission inheritance. Specifically, when using non-iframe elements like or in the ancestor chain, the feature policy inheritance mechanism failed to properly restrict permissions. This allowed cross-origin documents to retain their default feature policy instead of inheriting a limited one, thereby gaining access to permissions granted to the top-level origin (Mozilla Bug).

The vulnerability enables malicious cross-origin documents to bypass security controls and obtain sensitive permissions that should be restricted to the top-level origin. This could allow attackers to access privileged features like webcam, microphone, or geolocation without proper user consent. Additionally, the vulnerability could be exploited to prompt for permissions while masquerading as the trusted top-level site (Mozilla Advisory).

The vulnerability was patched in Firefox 100, Firefox ESR 91.9, and Thunderbird 91.9. Users are advised to update to these versions or later to receive the security fix. The patch implements proper feature policy inheritance for all container types and ensures cross-origin documents cannot bypass permission restrictions (Mozilla Advisory).