CVE-2023-29546: 
NixOS vulnerability analysis and mitigation

CVE-2023-29546 is a privacy vulnerability discovered in Firefox for Android's Private Browsing mode that affects versions prior to 112. When recording the screen while in Private Browsing mode, the address bar and keyboard were not properly hidden, potentially exposing sensitive information. This vulnerability specifically impacts Firefox for Android and Focus for Android, while other operating systems remain unaffected (Mozilla Advisory).

The vulnerability stems from an implementation flaw where the FLAG_SECURE protection was not properly applied to all elements of the private browsing interface. While screen recording was disabled for private browsing tabs, the address bar remained visible during screen captures, potentially exposing sensitive URL parameters and other private information. The issue was assigned a CVSS v3.1 base score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) (NVD).

The vulnerability could allow attackers to view sensitive information contained in the address bar during screen recording, including access tokens, emails, passwords, and secret parameters. This exposure violates the privacy expectations of Private Browsing mode and could lead to the compromise of sensitive user data (Mozilla Bug).

The vulnerability was fixed in Firefox for Android version 112 and Focus for Android version 112. The fix involved properly applying FLAG_SECURE to all elements that are part of private browsing. Users are advised to update to these versions or later to protect against potential privacy exposures (Mozilla Advisory).