CVE-2022-38473: 
NixOS vulnerability analysis and mitigation

CVE-2022-38473 is a high-impact security vulnerability discovered in Mozilla Firefox and Thunderbird browsers that was disclosed on August 23, 2022. The vulnerability affects multiple versions including Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. The issue allows cross-origin iframes referencing XSLT documents to inherit the parent domain's permissions, such as microphone or camera access (Mozilla Advisory).

The vulnerability stems from a flaw in how XSLT document transformations handle feature policies. During XSL transformation, several properties of the source document are transferred to the result document in URIUtils::ResetWithSource(), but the document's FeaturePolicy was not properly considered. As a result, the transformed document retained permissive default settings, which in a nested context (cross-origin iframe) effectively granted blanket delegation of all permissions from the top-level context (Mozilla Bug).

The vulnerability allows a malicious cross-origin iframe to gain unauthorized access to sensitive permissions that were granted to the parent domain, including microphone and camera access. This could potentially enable attackers to access user media devices without proper authorization, representing a significant privacy and security risk (Mozilla Advisory).

Mozilla addressed this vulnerability by releasing security updates across multiple versions. The fix was implemented in Firefox 104, Firefox ESR 102.2, Firefox ESR 91.13, Thunderbird 102.2, and Thunderbird 91.13. Users are advised to update their browsers to these or later versions to mitigate the vulnerability (Mozilla Advisory, Debian Security).