CVE-2022-45417: 
NixOS vulnerability analysis and mitigation

CVE-2022-45417 is a security vulnerability discovered in Firefox's Service Workers implementation that affected the browser's Private Browsing Mode functionality. The vulnerability was disclosed and fixed in Firefox 107, released on November 15, 2022. The issue allowed Service Workers to be written to disk for websites visited in Private Browsing Mode, potentially exposing user browsing history (Mozilla Advisory).

The vulnerability occurred because Service Workers did not correctly detect Private Browsing Mode in all cases, particularly in scenarios involving partitioned iframes. The issue specifically manifested when ePartitionForeignOrDeny or ePartitionTrackersOrDeny were returned from StorageAllowedFor methods in StorageAccess.h. This resulted in directories being created on disk with privateBrowsingId markers, containing both the origin name of the first-party site and the third-party site that triggered the Service Worker installation (Bugzilla).

The primary impact of this vulnerability was the potential exposure of Private Browsing Mode browsing history. When exploited, the vulnerability would leave traces of visited websites on disk through created directories, which contained domain names of both first-party and third-party sites. This data would persist until the user explicitly cleared their browsing data or until cleanup fixes were implemented, contradicting the core privacy promise of Private Browsing Mode (Mozilla Advisory).

The vulnerability was fixed in Firefox 107 by replacing the GetStorageAccess check with IsInPrivateBrowsing in the Service Worker implementation. Mozilla also implemented additional cleanup mechanisms to ensure that any residual data from Private Browsing Mode would be properly removed when the private browsing session ends (Mozilla Advisory).