CVE-2022-31738: 
NixOS vulnerability analysis and mitigation

CVE-2022-31738 is a high-impact security vulnerability discovered in Mozilla Firefox that affects the browser's fullscreen functionality. The vulnerability was reported by Irvan Kurniawan and disclosed on May 31, 2022. The issue affects Firefox, Firefox ESR, and Thunderbird products, where an iframe could confuse the browser about the current state of fullscreen mode (Mozilla Advisory).

The vulnerability occurs when exiting fullscreen mode, where an iframe from a different origin could confuse the browser about the current state of fullscreen. This confusion could result in the iframe content appearing to escape to the parent page, with the page still appearing to be in fullscreen mode despite having visible address bar and toolbar. The issue was introduced with the implementation of Fission-aware fullscreen code and requires both browser.tabs.documentchannel and fission.autostart to be enabled (Mozilla Bug).

The vulnerability allows potential user confusion and spoofing attacks. When exploited, the bug could enable attackers to display spoofed content without showing the fullscreen notification toast, potentially misleading users about the trustworthiness of the displayed content (Mozilla Advisory).

The vulnerability was fixed in Firefox 101, Firefox ESR 91.10, and Thunderbird 91.10. Mozilla developers implemented changes to make the fullscreen code more reliable in cleaning up the fullscreen state for various cases. Users are advised to update to these versions or later to protect against this vulnerability (Mozilla Advisory).