CVE-2023-3482: 
NixOS vulnerability analysis and mitigation

CVE-2023-3482 is a security vulnerability discovered in Mozilla Firefox affecting versions prior to 115. The vulnerability was reported by Martin Hostettler and disclosed on July 4, 2023. The issue allowed websites to bypass Firefox's cookie blocking settings by using an iframe with a source of 'about:blank', enabling them to store tracking data in localStorage without user permission (Mozilla Advisory).

The vulnerability stems from an oversight in the storage access check mechanism for about:blank iframes. When Firefox was configured to block storage of all cookies, the browser failed to properly enforce these restrictions on iframes with about:blank sources. This occurred because Firefox exempted storage access checks for about:blank iframes, resulting in StorageAccess::eAllow being returned even when cookie blocking was enabled (Mozilla Bug). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability allowed malicious websites to circumvent Firefox's privacy settings and store tracking data without user permission. This bypass of privacy controls could lead to unauthorized user tracking and compromise of user privacy preferences (Mozilla Advisory).

The vulnerability was fixed in Firefox 115. Users should upgrade to Firefox version 115 or later to receive the security fix. The fix involves implementing proper storage access checks for content-accessible about pages (Mozilla Advisory).