CVE-2023-6867: 
NixOS vulnerability analysis and mitigation

CVE-2023-6867 is a clickjacking vulnerability discovered in Mozilla Firefox that affects Firefox ESR < 115.6 and Firefox < 121. The vulnerability was disclosed on December 19, 2023, and involves the timing of button clicks in relation to permission prompts. The issue specifically affects the popup transition mechanism in Firefox browsers (Mozilla Advisory).

The vulnerability exploits the timing between a button click causing a popup to disappear and the anti-clickjacking delay on permission prompts. The timing synchronization could be manipulated to surprise users by luring them to click where the permission grant button would be about to appear. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with required user interaction (NVD).

The vulnerability could allow attackers to perform clickjacking attacks, potentially tricking users into granting permissions they did not intend to give. This could lead to unauthorized access to browser features or resources that normally require explicit user permission (Mozilla Advisory).

The vulnerability has been fixed in Firefox ESR version 115.6 and Firefox version 121. Users are strongly recommended to upgrade to these versions or later to mitigate the risk. The fix was released as part of a security update that addressed multiple vulnerabilities (Debian Advisory, Mozilla Advisory).