CVE-2022-38472: 
NixOS vulnerability analysis and mitigation

CVE-2022-38472 is a high-severity vulnerability discovered in Mozilla Firefox and Thunderbird browsers that allows address bar spoofing through XSLT error handling. The vulnerability was discovered by Armin Ebert and disclosed on August 23, 2022. It affects Firefox < 104.0, Firefox ESR < 102.2, Firefox ESR < 91.13, Thunderbird < 102.2, and Thunderbird < 91.13 (Mozilla Advisory, Mozilla Advisory ESR).

The vulnerability exists in the XSLT processor's error handling mechanism where an attacker could abuse XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. The issue occurs when the XSLT processor acts on the wrong context when reporting an error, potentially substituting the wrong document with an attacker-controlled error document. This can cause a state where different documents of potentially different origins refer to the same outer window (Mozilla Advisory).

The vulnerability allows attackers to spoof the address bar, security UI, and Android-native password autofill. On Firefox for Android, attackers could fully spoof any URL in the address bar, including security indicators, and trigger Google autofill to insert stored credentials for the spoofed origin. Even with Fission enabled, the bug could be exploited when navigation between subdomains and/or ports happens in-process, or by using error pages that load before process switches (Bugzilla).

The vulnerability was patched in Firefox 104.0, Firefox ESR 102.2, Firefox ESR 91.13, Thunderbird 102.2, and Thunderbird 91.13. Users are advised to update to these versions or later to mitigate the vulnerability. For Thunderbird users, it's noted that these flaws cannot be exploited through email as scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts (Mozilla Advisory, Thunderbird Advisory).