CVE-2022-29910: 
NixOS vulnerability analysis and mitigation

CVE-2022-29910 is a security vulnerability affecting Firefox for Android that was discovered and fixed in Firefox version 100. When the application was closed or sent to the background, Firefox for Android would not properly record and persist HTTP Strict Transport Security (HSTS) settings. This vulnerability was specific to Firefox for Android, with other operating systems being unaffected (Mozilla Advisory).

The vulnerability stems from an issue where the SiteSecurityServiceState.txt file in the profile directory, which stores HSTS policies, was only written out every 5 minutes and at shutdown. On mobile devices, sessions could be shorter than this interval, and without a proper shutdown hook, the HSTS settings would not be saved. The issue was assigned a CVSS v3.1 base score of 6.1 (Medium) (NVD, Mozilla Bug).

The vulnerability could lead to security implications where HSTS policies were not properly enforced after the browser was restarted or backgrounded. This meant that secure HTTPS connections might not be automatically enforced for websites that had previously set HSTS policies, potentially exposing users to downgrade attacks (Mozilla Advisory).

The issue was fixed in Firefox 100 by implementing atomic writes for DataStorage data and adding a mechanism to trigger writes when the application is backgrounded. The fix ensures that HSTS settings are properly persisted even when the application is backgrounded or closed (Mozilla Bug).