CVE-2023-6870: 
NixOS vulnerability analysis and mitigation

CVE-2023-6870 is a security vulnerability affecting Android versions of Firefox and Firefox Focus browsers prior to version 121. The vulnerability was discovered by Hafiizh and disclosed on December 19, 2023. The issue involves applications that spawn Toast notifications in a background thread potentially obscuring fullscreen notifications displayed by Firefox (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The issue specifically affects the Toast notification system on Android, where background thread notifications could interfere with Firefox's fullscreen notification mechanism. This vulnerability was introduced as a regression from a previous security fix implemented in Firefox version 112 (Bugzilla).

The impact of this vulnerability is rated as low. While it could allow a malicious application to obscure Firefox's fullscreen notifications, the attack scenario requires a malicious app to be installed on the device first. The vulnerability could potentially be used for UI spoofing attacks, though the practical impact is limited due to the requirement of a pre-installed malicious application (Mozilla Advisory).

The vulnerability was fixed in Firefox version 121.0. The fix involved replacing the Toast notification system with a custom DialogFragment styled as a Snackbar for fullscreen notifications. Users are advised to upgrade to Firefox version 121.0 or later to receive the security fix (Mozilla Advisory, Gentoo Advisory).