CVE-2022-34474: 
NixOS vulnerability analysis and mitigation

CVE-2022-34474 is a security vulnerability discovered in Mozilla Firefox that affects sandboxed iframes. The vulnerability was reported by the Amazon Malvertising Team and was fixed in Firefox 102, released on June 28, 2022. The issue affected Firefox on macOS and Android platforms, allowing sandboxed iframes to redirect to external schemes even when restricted (Mozilla Advisory).

The vulnerability occurs when an iframe is sandboxed with allow-top-navigation-by-user-activation. Even with this restriction in place, if the iframe received a redirect header to an external protocol, the browser would process the redirect and prompt the user accordingly. This behavior bypassed the intended sandbox restrictions that should have prevented such redirections (Mozilla Advisory, Mozilla Bugzilla).

The vulnerability was rated as having moderate impact. It could allow malicious websites to trigger unauthorized protocol handlers and potentially redirect users to external applications or schemes, bypassing intended security restrictions. This could be exploited in malvertising campaigns to redirect users to unwanted destinations (Mozilla Advisory).

The vulnerability was fixed in Firefox 102. The fix involved implementing proper enforcement of sandbox restrictions for custom protocol navigation. Mozilla also added a new sandbox flag 'allow-top-navigation-to-custom-protocols' to properly control such redirections. Users were advised to upgrade to Firefox 102 or later versions to receive the security fix (Mozilla Advisory).