CVE-2024-0750: 
NixOS vulnerability analysis and mitigation

CVE-2024-0750 is a security vulnerability discovered in Mozilla Firefox's popup notification system. The vulnerability stems from a bug in popup notifications delay calculation that could allow an attacker to perform clickjacking attacks to trick users into granting permissions. This vulnerability affects Firefox versions prior to 122, Firefox ESR versions before 115.7, and Thunderbird versions before 115.7 (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue specifically relates to how Firefox calculates delays for popup notifications, which could be exploited through a timing vulnerability in the permission request system (NVD).

The vulnerability could enable attackers to bypass permission request protections through clickjacking techniques, potentially tricking users into granting unwanted permissions to malicious websites. In Thunderbird, while the risk is generally lower since scripting is disabled when reading mail, the vulnerability could still pose risks in browser-like contexts (Mozilla Advisory).

The vulnerability has been patched in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. Users are strongly advised to upgrade to these versions or later to protect against this security issue. The fix involves improvements to the popup notifications delay calculation mechanism (Mozilla Advisory, Debian Advisory).