CVE-2023-29533: 
NixOS vulnerability analysis and mitigation

CVE-2023-29533 is a security vulnerability discovered in Mozilla Firefox browsers that affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10. The vulnerability was reported by Irvan Kurniawan and disclosed on April 11, 2023. The issue allows a website to obscure the fullscreen notification through a specific combination of window.open, fullscreen requests, window.name assignments, and setInterval calls (Mozilla Advisory).

The vulnerability exploits a race condition in the browser's fullscreen notification system. By using a combination of window.open calls with the same window name and repeated requestFullscreen operations through setInterval, an attacker could cause the popup window to overlap the fullscreen notification toast. The issue received a CVSS v3.1 base score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability could lead to user confusion and potential spoofing attacks by obscuring the fullscreen notification that normally warns users when a website enters fullscreen mode. This could potentially be exploited for social engineering attacks or UI spoofing, as users might not be aware they are in fullscreen mode (Mozilla Advisory).

The vulnerability was fixed in Firefox 112, Firefox ESR 102.10, and Thunderbird 102.10. Mozilla implemented a patch that addresses the race condition by ensuring proper handling of window focus events during fullscreen transitions. Users are advised to update their Mozilla products to these versions or newer to mitigate the vulnerability (Mozilla Advisory, Mozilla Advisory).