CVE-2023-6868: 
NixOS vulnerability analysis and mitigation

CVE-2023-6868 is a security vulnerability discovered in Firefox for Android that affects versions prior to 121.0. The vulnerability was disclosed on December 19, 2023, and involves the Web Push notification system. In some instances, the user-agent would allow push requests which lacked a valid VAPID (Voluntary Application Server Identification) key even though the push manager subscription defined one (Mozilla Advisory, NVD).

The vulnerability stems from Firefox for Android not properly enforcing VAPID key requirements for push notifications. When a push subscription is created with an application server key (VAPID), the browser would return a v1 URL instead of a v2 URL, effectively ignoring the provided VAPID key. This behavior differs from desktop Firefox, which correctly enforces VAPID key validation and returns v2 URLs for signed subscriptions (Mozilla Bug).

The vulnerability could allow unauthorized parties to send empty push messages to affected devices if they obtain the push endpoint URL. While the confidentiality of push notifications is not impacted, as the encryption keys are still required for sending actual data, the lack of VAPID validation means that any party could trigger push notifications without proper authorization, potentially leading to unexpected application behavior (Mozilla Bug).

The vulnerability has been fixed in Firefox 121.0. Users of Firefox for Android should update to version 121.0 or later to receive the security fix. The fix involves properly passing the application server key to the push subscription service (Mozilla Advisory).