CVE-2023-29547: 
NixOS vulnerability analysis and mitigation

CVE-2023-29547 is a security vulnerability discovered in Firefox that affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. The vulnerability was reported by Marco Squarcina and disclosed in April 2023. The issue occurs when a secure cookie exists in the Firefox cookie jar, and an insecure cookie for the same domain could be created when it should have silently failed (Mozilla Advisory, NVD).

The vulnerability involves a desynchronization between document.cookie and the actual content of the cookie jar in Firefox. When a secure cookie exists, the browser incorrectly allows setting an insecure cookie with the same name in document.cookie, although this cookie is not saved in the actual cookie jar. This behavior contradicts the Cookies Storage Model specification, which states that non-secure cookies should be discarded in such cases (Mozilla Bug). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

The vulnerability could lead to a desynchronization in expected results when reading from the secure cookie. This inconsistency could potentially introduce vulnerabilities in applications that trust the cookies read from document.cookie, allowing same-site and network attackers to spoof the value of a cookie previously set as Secure (Mozilla Advisory).

The vulnerability was fixed in Firefox 112, Firefox for Android 112, and Focus for Android 112. Users should upgrade to these versions or later to receive the security fix. The fix prevents document.cookie de-sync from the cookie jar when setting secure cookies (Mozilla Advisory).