CVE-2023-4051: 
NixOS vulnerability analysis and mitigation

CVE-2023-4051 is a security vulnerability discovered in Mozilla Firefox that affects versions prior to Firefox 116, Firefox ESR prior to 115.2, and Thunderbird prior to 115.2. The vulnerability was reported by Hafiizh and disclosed on August 1, 2023. The issue allows a website to obscure the full screen notification by using the file open dialog, which could lead to user confusion and possible spoofing attacks (Mozilla Advisory, NVD).

The vulnerability has a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The issue occurs when a website enters fullscreen mode and triggers a file open dialog before the fullscreen notification's auto-hide timer expires (3 seconds). This causes the notification to be hidden by the file picker dialog, potentially leading to user interface spoofing (Mozilla Advisory, Mozilla Bug).

The vulnerability could lead to user confusion and possible spoofing attacks by obscuring the fullscreen notification. This could potentially be exploited by malicious websites to hide the fact that they are running in fullscreen mode, which could be used for phishing or other social engineering attacks (Mozilla Advisory).

The vulnerability was fixed in Firefox 116, Firefox ESR 115.2, and Thunderbird 115.2. The fix involves ensuring that the fullscreen notification reappears when the user refocuses on the fullscreen window after the file picker is closed. Users are advised to update to these or later versions to protect against this vulnerability (Mozilla Advisory, Mozilla Bug).