CVE-2024-26281: 
NixOS vulnerability analysis and mitigation

CVE-2024-26281 is a security vulnerability discovered in Firefox for iOS versions prior to 123. The vulnerability was reported by James Lee and disclosed on February 19, 2024. The issue affects the QR code scanner functionality in Firefox for iOS, where an attacker could potentially execute unauthorized scripts on the current top origin sites in the URL bar (Mozilla Advisory, NVD).

The vulnerability is classified as a Cross-site Scripting (CWE-79) issue with a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. The vulnerability specifically involves the QR code scanner's handling of JavaScript URIs, where scanning a specially crafted QR code containing a Firefox URI with an encoded JavaScript payload could lead to script execution in the context of the current top origin sites (CISA-ADP).

When successfully exploited, this vulnerability could allow an attacker to execute unauthorized scripts on the current top origin sites displayed in the URL bar. The impact is rated as moderate, potentially allowing for unauthorized script execution in the context of legitimate websites (Mozilla Advisory).

The vulnerability has been fixed in Firefox for iOS version 123. Users are advised to update their Firefox for iOS application to the latest version to receive the security fix. The fix involves enforcing stricter scheme checks and limiting QR code navigation to only http/https URLs (Mozilla Advisory).