CVE-2023-25748: 
NixOS vulnerability analysis and mitigation

CVE-2023-25748 is a security vulnerability discovered in Firefox for Android that affects versions prior to 111. By displaying a prompt with a long description, attackers could hide the fullscreen notification, potentially leading to user confusion and spoofing attacks. The vulnerability was disclosed and fixed in March 2023, specifically impacting only the Android version of Firefox, with other operating systems remaining unaffected (Mozilla Advisory).

The vulnerability was rated with a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The issue stems from the browser's handling of window prompts with long descriptions, which could overlap with and obscure the fullscreen notification system. This vulnerability was classified under CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) (NVD).

The primary impact of this vulnerability is the potential for spoofing attacks. When exploited, an attacker could create confusion by hiding the fullscreen notification, potentially misleading users about their browsing context. This could lead to phishing attacks or other forms of user deception (Mozilla Advisory).

The vulnerability was fixed in Firefox version 111. The solution implemented involves exiting fullscreen mode when any new prompt request is shown, similar to the behavior implemented in other browsers. Users are advised to update to Firefox version 111 or later to protect against this vulnerability (Mozilla Bug).