CVE-2023-4583: 
NixOS vulnerability analysis and mitigation

CVE-2023-4583 is a privacy-related vulnerability discovered in Firefox versions prior to 117, Firefox ESR versions prior to 115.2, and Thunderbird versions prior to 115.2. The vulnerability was reported by Thejaka Maldeniya and was disclosed on August 29, 2023. The issue occurs in the HttpBaseChannel component when checking if the Browsing Context had been discarded (Mozilla Advisory, NVD).

The vulnerability stems from an incorrect assumption in the HttpBaseChannel component. When checking if the Browsing Context had been discarded, if the load group was not available, the system would assume it had already been discarded. However, this assumption was not always correct for private channels after the private session had ended. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability has been classified as having a low security impact. The main concern is that when a private browsing session ends, the browsing context might not be properly cleared, potentially leading to information leakage between private browsing sessions (Mozilla Advisory).

The vulnerability has been fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Users are advised to upgrade to these versions or later to mitigate the vulnerability. The fix involves implementing proper checks for the global private browsing state in HttpBaseChannel when the load group is not available (Mozilla Advisory).