CVE-2022-31743: 
NixOS vulnerability analysis and mitigation

Firefox's HTML parser contained a vulnerability (CVE-2022-31743) where it did not correctly interpret HTML comment tags, creating an inconsistency with other browsers' behavior. This vulnerability was discovered by Linus Särud and affected Firefox versions prior to 101. The issue was publicly disclosed on May 31, 2022, as part of Mozilla's security advisory (Mozilla Advisory).

The vulnerability stems from Firefox's HTML parser incorrectly handling HTML comment tags, specifically in cases where user-controlled data was placed within HTML comments. The issue was assigned a moderate severity rating, indicating a significant but not critical security risk. The vulnerability was tracked in Mozilla's bug tracking system under Bug 1747388 (Mozilla Bugzilla).

This vulnerability could allow attackers to escape HTML comments on pages where user-controlled data was placed within comment tags. The inconsistency in parsing behavior between Firefox and other browsers (Chrome and Safari) could be exploited to achieve cross-site scripting (XSS) attacks in certain contexts (Mozilla Advisory).

The vulnerability was fixed in Firefox 101. Users and organizations running affected versions of Firefox should upgrade to version 101 or later to receive the security patch. The fix was also backported to Firefox ESR releases (Mozilla Advisory).