CVE-2022-47934: 
NixOS vulnerability analysis and mitigation

Brave Browser before version 1.43.88 contained a denial of service vulnerability that affected private and guest windows. The vulnerability could be exploited by a remote attacker using a crafted HTML file containing ipfs:// or ipns:// URLs. This vulnerability (CVE-2022-47934) was discovered in December 2022 and was caused by an incomplete fix for previous vulnerabilities CVE-2022-47932 and CVE-2022-47934 (NVD, CVE).

The vulnerability has a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue specifically affected the handling of IPFS (InterPlanetary File System) URLs in subframe navigations within private and guest windows. The vulnerability was addressed by implementing additional checks in the browser's navigation throttle system to prevent committing subframe IPFS navigations (Brave Core PR).

When exploited, this vulnerability could allow an attacker to cause a denial of service condition in private and guest windows of the Brave Browser. The attack required user interaction as the victim needed to open a specially crafted HTML file containing malicious IPFS or IPNS URLs (NVD).

The vulnerability was patched in Brave Browser version 1.43.88. Users should update to this version or later to mitigate the risk. The fix involved implementing a new IpfsSubframeNavigationThrottle to prevent committing subframe IPFS navigations and properly handle IPFS URLs in private and guest windows (Brave Core Commit).