CVE-2022-29916: 
NixOS vulnerability analysis and mitigation

CVE-2022-29916 is a high-severity security vulnerability discovered in Mozilla Firefox that affects browser history privacy. The vulnerability was disclosed on May 3, 2022, and affects Firefox versions prior to 100.0, Firefox ESR versions before 91.9, and Thunderbird versions before 91.9. The issue stems from Firefox's handling of CSS resources involving CSS variables, where the browser exhibited different behaviors for already known resources (Mozilla Advisory).

The vulnerability exists in Firefox's CSS parsing and computation mechanism where the browser processes CSS variables differently for cached resources. When loading CSS resources involving CSS variables, Firefox would perform two runs of requesting images, with the second run revealing information about visited links through the timing and order of resource requests. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The primary impact of this vulnerability is the potential exposure of users' browsing history. An attacker could exploit this vulnerability to probe the browser history by observing the order and timing of CSS resource requests, effectively determining which links a user has previously visited. This represents a significant privacy concern as it could allow websites to gather information about users' browsing habits (Mozilla Advisory, Bugzilla).

The vulnerability was fixed in Firefox 100.0, Firefox ESR 91.9, and Thunderbird 91.9. The fix prevents the browser from stopping to track visited links once they are known to be visited, which eliminates the timing difference that made the history probing possible. Users are advised to upgrade to these versions or newer to protect against this vulnerability (Mozilla Advisory).