CVE-2023-28164: 
NixOS vulnerability analysis and mitigation

CVE-2023-28164 is a security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that was disclosed on March 14, 2023. The vulnerability allows for user confusion and website spoofing attacks when dragging a URL from a cross-origin iframe that was removed during the drag operation. This issue affects Firefox versions before 111.0, Firefox ESR versions before 102.9, and Thunderbird versions before 102.9 (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The issue occurs specifically during drag-and-drop operations when a URL is dragged from a cross-origin iframe that gets removed during the dragging process, which could trigger an unexpected navigation in the same tab (NVD).

The vulnerability could lead to user confusion and website spoofing attacks. When exploited, it allows attackers to potentially mislead users about the destination of dragged URLs, which could be used for phishing or other social engineering attacks (Mozilla Advisory).

The vulnerability has been fixed in Firefox 111.0, Firefox ESR 102.9, and Thunderbird 102.9. Users are advised to update their software to these versions or later to mitigate the risk. The fix involves tracking the top-level window context in the DragSession to prevent unauthorized navigation attempts (Mozilla Advisory).