CVE-2023-28159: 
NixOS vulnerability analysis and mitigation

CVE-2023-28159 is a security vulnerability discovered in Firefox for Android that affects versions prior to 111. The vulnerability, reported by Axel Chong (@Haxatron), allows the fullscreen notification to be hidden using download popups, which could lead to potential user confusion or spoofing attacks. This vulnerability specifically affects Firefox for Android, with other operating systems being unaffected (Mozilla Advisory).

The vulnerability exists in the interaction between Firefox's fullscreen notification system and download popups on Android devices. When entering fullscreen mode, the browser displays a notification to warn users about entering fullscreen, which is essential for preventing spoofing attacks as the fullscreen mode lacks the omnibox. However, the vulnerability allowed the download popup to appear below and block this critical fullscreen notification (Mozilla Advisory, Bugzilla). The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) (NVD).

The primary impact of this vulnerability is the potential for user confusion and spoofing attacks. By hiding the fullscreen notification, malicious websites could potentially trick users into believing they are interacting with legitimate content when they are actually in a fullscreen mode that mimics trusted interfaces (Mozilla Advisory).

The vulnerability was fixed in Firefox version 111. The fix involved refactoring the snackbar and download dialogs functionality to ensure proper positioning of the fullscreen notification. Users are advised to update to Firefox version 111 or later to protect against this vulnerability (Mozilla Advisory).