CVE-2022-42927: 
NixOS vulnerability analysis and mitigation

CVE-2022-42927 is a same-origin policy violation vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird. The vulnerability was reported by James Lee and disclosed on October 18, 2022. The flaw affected Firefox versions prior to 106, Firefox ESR versions before 102.4, and Thunderbird versions before 102.4. This security issue allowed the theft of cross-origin URL entries through the performance.getEntries() API, potentially leaking the result of redirects (Mozilla Advisory, CVE Mitre).

The vulnerability is a variant of a previous issue (CVE-2018-18494) and was introduced through bug fixes related to Firefox's Fission implementation. The flaw specifically involves the performance.getEntries() API, which could be exploited to steal cross-origin URL information when framing a page. The issue was classified as high severity and was confirmed to affect all supported branches of Firefox (Mozilla Bugzilla).

The vulnerability allows attackers to violate the same-origin policy and steal cross-origin URL entries, specifically leaking the results of redirects. This could potentially lead to information disclosure and compromise of user privacy (Mozilla Advisory).

The vulnerability was fixed in Firefox 106, Firefox ESR 102.4, and Thunderbird 102.4. The fix involved modifying the LoadInfo::GetPerformanceStorage() function to prevent the unauthorized access to cross-origin URL information. Users are advised to update to these or later versions to protect against this vulnerability (Mozilla Advisory).