CVE-2023-4047: 
NixOS vulnerability analysis and mitigation

A bug in popup notifications delay calculation (CVE-2023-4047) was discovered that affected Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. The vulnerability was discovered by security researcher Axel Chong (@Haxatron) and was publicly disclosed on August 1, 2023 (Mozilla Advisory).

The vulnerability stems from a flaw in how Firefox calculates delays for popup notifications, specifically related to the security delay mechanism that prevents immediate interaction with permission prompts. The issue has a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD). The vulnerability is classified as a clickjacking type security issue that could bypass Firefox's built-in protection mechanisms (Mozilla Advisory).

The vulnerability could allow an attacker to trick users into granting sensitive permissions such as geolocation, camera, or microphone access. A potential attack scenario involves convincing users to open a new about:blank window under the pretense of starting a game, and when sufficient clicks occur in the game, the window closes and the victim accidentally clicks on the accept button of the permission prompt (Bugzilla).

The vulnerability has been fixed in Firefox 116, Firefox ESR 102.14, and Firefox ESR 115.1. Users are strongly recommended to upgrade to these versions or later. The fix involved correcting how the timeShown parameter is handled when panels are re-shown after a tab switch (Bugzilla).