CVE-2023-6206: 
NixOS vulnerability analysis and mitigation

CVE-2023-6206 is a high-impact clickjacking vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that affects versions prior to Firefox 120, Firefox ESR 115.5.0, and Thunderbird 115.5. The vulnerability was disclosed on November 21, 2023, and involves the black fade animation when exiting fullscreen mode, which could be exploited to trick users into granting permissions unintentionally (Mozilla Advisory).

The vulnerability exploits the timing between the black fade animation when exiting fullscreen mode and the anti-clickjacking delay on permission prompts. The black fade animation duration approximately matches the anti-clickjacking delay on permission prompts, allowing attackers to surprise users by luring them to click where the permission grant button would appear. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD).

The vulnerability could allow attackers to perform clickjacking attacks to trick users into granting sensitive permissions for camera, microphone, geolocation, and other features without their informed consent. This could lead to unauthorized access to user's private data and device capabilities (Mozilla Advisory, Debian Advisory).

The vulnerability has been patched in Firefox 120, Firefox ESR 115.5.0, and Thunderbird 115.5. Users are strongly recommended to upgrade to these versions or later. The fix involves extending the security delay when exiting fullscreen mode due to permission prompts to prevent the timing attack (Mozilla Advisory, Debian LTS).