CVE-2022-34473: 
NixOS vulnerability analysis and mitigation

The vulnerability CVE-2022-34473 was discovered in Firefox's HTML Sanitizer functionality, affecting versions prior to Firefox 102. The issue was disclosed on June 28, 2022, and involved an incorrect handling of SVG use tags' href attributes. The HTML Sanitizer failed to properly sanitize xlink:href attributes, although it should have sanitized all href attributes of SVG tags (Mozilla Advisory, NVD).

The vulnerability stems from the HTML Sanitizer's failure to properly handle xlink:href attributes in SVG use tags. While the Sanitizer API was designed to restrict SVG attribute values to fragment URLs by default to prevent importing nodes from different documents, this check wasn't implemented for xlink:href attributes, which serve as a valid fallback mechanism. The issue received a CVSS v3.1 base score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability was rated as having a low security impact. If exploited, it could allow attackers to bypass the HTML Sanitizer's security controls, potentially leading to cross-site scripting (XSS) attacks through unsanitized xlink:href attributes in SVG use tags (Mozilla Advisory).

The vulnerability was fixed in Firefox version 102. Users are advised to upgrade to Firefox 102 or later to receive the security patch. The fix involved implementing proper sanitization checks for xlink:href attributes in SVG use tags (Mozilla Advisory).