CVE-2023-6871: 
NixOS vulnerability analysis and mitigation

CVE-2023-6871 is a security vulnerability in Mozilla Firefox that affects versions prior to 121.0. Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler. The vulnerability was discovered by Edward "JankhJankh" Prior and was disclosed on December 19, 2023. The issue affects Firefox's handling of protocol handlers, which are applications that interpret particular types of links (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The issue specifically relates to Firefox's behavior when handling protocol handler URLs directly entered in the address bar or set as the homepage, where the browser would skip the usual security warning prompt that would normally appear when accessing protocol handlers through other means (NVD).

The vulnerability could potentially allow attackers to trigger external applications without user warning, which could be particularly concerning when combined with vulnerable protocol handlers. This could lead to unexpected application execution and potential security risks, especially in cases where protocol handlers are associated with sensitive system functions or vulnerable applications (Mozilla Advisory).

The vulnerability has been fixed in Firefox version 121.0. Users are advised to upgrade to this version or later to receive the security fix. The fix has been deployed across various distributions, including Ubuntu 20.04 LTS which received version 121.0+build1-0ubuntu0.20.04.1 (Gentoo Advisory, Ubuntu Security).