CVE-2024-0748: 
NixOS vulnerability analysis and mitigation

CVE-2024-0748 is a security vulnerability discovered in Mozilla Firefox versions prior to 122. The vulnerability allows a compromised content process to update the document URI, potentially enabling an attacker to set an arbitrary URI in the address bar or history. The issue was discovered by Young Min Kim and was publicly disclosed on January 23, 2024 (Mozilla Advisory).

The vulnerability stems from insufficient validation in the WindowGlobalParent::RecvUpdateDocumentURI functionality. When a compromised content process updates the document URI, it could bypass the security checks that should prevent setting arbitrary URIs. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability could allow an attacker to manipulate the address bar display and browser history, potentially facilitating phishing attacks. Additionally, it could affect extension message verification as many extensions rely on MessageSender.url to verify whether messages came from trusted sources. The issue also impacts the 'Tabs sharing devices' menu and could potentially allow access to logins for another origin (Mozilla Bugzilla).

The vulnerability has been fixed in Firefox version 122. Users are advised to update their Firefox installations to this version or later to mitigate the risk. The fix involves implementing additional validation checks when updating document URIs (Mozilla Advisory).