CVE-2023-25750: 
NixOS vulnerability analysis and mitigation

CVE-2023-25750 is a security vulnerability discovered in Mozilla Firefox versions prior to 111 that affects the browser's Private Browsing Mode functionality. Under certain circumstances, a ServiceWorker's offline cache could leak to the file system when using private browsing mode, compromising the privacy expectations of Private Browsing Mode. The vulnerability was discovered by Kagami Rosylight and was publicly disclosed on March 14, 2023 (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The issue stems from improper handling of ServiceWorker's offline cache in Private Browsing Mode, where cached data could persist to the file system instead of being contained in memory and cleared upon session termination (NVD).

The vulnerability allows for data leakage from Private Browsing Mode sessions, potentially exposing user browsing data that should have been isolated and destroyed after the session ends. More critically, the cached data could persist across different Private Browsing Mode sessions, allowing websites to track user activity between supposedly isolated private browsing sessions (Mozilla Advisory).

The vulnerability was fixed in Firefox version 111. Users are advised to update to Firefox 111 or later to receive the security fix. The fix prevents ServiceWorker's offline cache from being stored on the file system during Private Browsing Mode sessions. Mozilla has also implemented additional cleanup mechanisms to clear any potentially leaked data from previous versions (Mozilla Advisory).