CVE-2022-45410: 
NixOS vulnerability analysis and mitigation

CVE-2022-45410 is a security vulnerability discovered in Firefox browsers where ServiceWorker-intercepted requests bypassed SameSite cookie policy. The vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it, effectively negating SameSite cookie protections. This vulnerability was discovered by Dongsung Kim and was fixed in November 2022 (Mozilla Advisory).

The vulnerability occurs when a ServiceWorker intercepts a request with FetchEvent, causing the origin of the request to be lost after the ServiceWorker takes ownership. This technical issue was addressed in both the specification and browser implementations. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows third-party pages to obtain first-party same-site cookies through ServiceWorker, effectively bypassing SameSite cookie protections. When fetch() is used through the FetchEvent.request or NavigationPreload, the same-site cookie policy would not work correctly, leading to same-site cookies leaking to third-party pages (Mozilla Bug).

The vulnerability was fixed in Firefox 107, Firefox ESR 102.5, and Thunderbird 102.5. The fix involved propagating the InterceptedHttpChannel information to fetch's channel caused by FetchEvent.request. Users are advised to upgrade to these versions or newer to receive the security fix (Mozilla Advisory).

The vulnerability was presented at DEFCON 30 in August 2022, indicating significant interest from the security community. The issue was also identified in other browsers like Chrome, leading to coordinated fixes across major browser vendors (Mozilla Bug).