CVE-2024-26283: 
NixOS vulnerability analysis and mitigation

CVE-2024-26283 is a security vulnerability discovered in Firefox for iOS versions prior to 123. The vulnerability was disclosed on February 19, 2024, affecting Firefox's custom URL scheme functionality. The issue allows an attacker to execute unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme (Mozilla Advisory, NVD).

The vulnerability stems from Firefox iOS's support for a custom URL scheme called 'firefox://open-url' which is used for opening specified URLs from other apps. While Firefox normally prohibits opening URLs with javascript: scheme, this protection was bypassed when using the 'open-url' scheme. Additionally, if the URL contains '://' immediately after the URL scheme, the address bar of Firefox iOS would only show the rest of the URL, leading to potential address bar spoofing. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute unauthorized scripts on top origin sites, potentially leading to address bar spoofing and execution of malicious JavaScript code. This could result in unauthorized script execution even when Firefox is not set as the default browser, as the firefox://open-url scheme would still open Firefox if the app is installed (Mozilla Advisory).

The vulnerability has been fixed in Firefox for iOS version 123. The fix involves implementing proper scheme validation when handling URLs from external sources. Users are advised to update to the latest version of Firefox for iOS to protect against this vulnerability (Mozilla Advisory).