CVE-2022-34468: 
NixOS vulnerability analysis and mitigation

CVE-2022-34468 is a high-impact security vulnerability discovered in Firefox and Firefox ESR browsers that affects Content Security Policy (CSP) sandbox implementation. The vulnerability was discovered by Armin Ebert and disclosed on June 28, 2022. The issue affects Firefox versions prior to 102 and Firefox ESR versions prior to 91.11 (Mozilla Advisory).

The vulnerability allows an iframe that was not permitted to run scripts to bypass the CSP sandbox header restriction when a user clicks on a javascript: link. Specifically, when a CSP sandbox header is set without the 'allow-scripts' directive, the sandbox flags were incorrectly taken from the browsing context instead of the document, allowing script execution that should have been blocked (Mozilla Advisory, Mozilla Bug).

The vulnerability has been rated as having a high impact. It allows malicious websites to bypass security restrictions and execute JavaScript code in contexts where script execution should be forbidden by the Content Security Policy sandbox. This could potentially lead to unauthorized script execution and compromise of the affected browser's security model (Mozilla Advisory).

The vulnerability was fixed in Firefox 102 and Firefox ESR 91.11. The fix involves correcting the code to properly check the sandbox flags from the document instead of the browsing context. Users are advised to upgrade to these or later versions to protect against this vulnerability (Mozilla Advisory, Red Hat Advisory).