CVE-2022-45413: 
NixOS vulnerability analysis and mitigation

CVE-2022-45413 is a security vulnerability discovered in Firefox for Android that affects versions prior to 107. The vulnerability was disclosed on November 15, 2022, and involves a SameSite cookie bypass issue. Using the S.browser_fallback_url parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent, affecting only Firefox for Android while other operating systems remain unaffected (Mozilla Advisory, NVD).

The vulnerability has a CVSS v3.1 base score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue occurs specifically when handling intent URLs on Android, where the S.browser_fallback_url parameter specifies the URL to load when the browser fails to verify the intent. When opening the fallback_url parameter, the browser didn't properly enforce SameSite cookie restrictions (Mozilla Bug).

The vulnerability allows attackers to bypass SameSite=Strict cookie protections on Firefox for Android. This could potentially lead to cross-site request forgery (CSRF) attacks by allowing the transmission of cookies that should be restricted to same-site contexts (Mozilla Advisory).

The vulnerability was fixed in Firefox version 107. The fix involves setting proper load flags when handling browser_fallback_url in the Android Components. Users are advised to update to Firefox version 107 or later to mitigate this vulnerability (Mozilla Advisory).