CVE-2024-6607: 
NixOS vulnerability analysis and mitigation

CVE-2024-6607 is a security vulnerability discovered in Mozilla Firefox and Thunderbird versions prior to 128. The vulnerability was reported by Irvan Kurniawan and was disclosed on July 9, 2024. It affects the pointerlock functionality and permission prompt system in these browsers (Mozilla Advisory).

The vulnerability involves a flaw in the browser's pointerlock mechanism where it was possible to prevent users from exiting pointerlock when pressing the escape key. Additionally, the vulnerability allowed overlaying customValidity notifications from a <select> element over certain permission prompts. The issue has been assessed with a CVSS 3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

The vulnerability could be exploited to confuse users into granting unintended permissions to malicious websites. This social engineering attack vector could potentially lead to escalated privileges or unauthorized access to browser features (Mozilla Advisory, CIS Advisory).

The vulnerability has been fixed in Firefox 128 and Thunderbird 128. Users are advised to update their browsers to these versions or later to mitigate the risk. The fix prevents the manipulation of pointerlock behavior and improves the handling of permission prompts (Mozilla Advisory).