CVE-2023-4045: 
NixOS vulnerability analysis and mitigation

Offscreen Canvas did not properly track cross-origin tainting in Firefox browsers, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability (CVE-2023-4045) was discovered by Max Vlasov and affected Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. The issue was publicly disclosed and patched in August 2023 (Mozilla Advisory).

The vulnerability allowed bypassing cross-origin restrictions through manipulation of the Offscreen Canvas API. When using a regular canvas, accessing cross-origin image data would trigger a security error, but the Offscreen Canvas implementation failed to properly enforce these same-origin restrictions. The issue was rated as high severity with a CVSS v3.1 base score of 5.3 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) (NVD).

The vulnerability could allow attackers to bypass same-origin policy restrictions and access image data from other sites that should have been protected. This could potentially lead to data leakage and violation of cross-origin security boundaries that are fundamental to web security (Mozilla Advisory).

The vulnerability was fixed in Firefox 116, Firefox ESR 102.14, and Firefox ESR 115.1. Users and administrators were advised to upgrade to these versions or later to address the security issue. The fix involved implementing proper cross-origin tainting checks for the Offscreen Canvas API (Debian Advisory).