CVE-2024-6611: 
NixOS vulnerability analysis and mitigation

A security vulnerability identified as CVE-2024-6611 was discovered in Firefox and Thunderbird browsers. The vulnerability affects Firefox versions below 128 and Thunderbird versions below 128, where a nested iframe triggering a cross-site navigation could send SameSite=Strict or Lax cookies. This issue was reported by Pedro Bernardo and was addressed in the Firefox 128 and Thunderbird 128 releases (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H by CISA-ADP (NVD). The issue specifically involves the incorrect handling of SameSite cookies during cross-site navigation scenarios involving nested iframes. The vulnerability was classified with a low impact severity by Mozilla in their security advisory (Mozilla Advisory).

The vulnerability could potentially allow attackers to bypass SameSite cookie restrictions, which are security controls designed to prevent cross-site request forgery (CSRF) attacks. This affects both Strict and Lax SameSite cookie settings, potentially compromising the intended security boundaries between different sites (Mozilla Advisory).

The vulnerability has been fixed in Firefox 128 and Thunderbird 128. Users are advised to upgrade to these versions or later to mitigate the risk. For Firefox, the fix is available in version 128.0+build2-0ubuntu0.20.04.1 for Ubuntu 20.04 LTS systems (Ubuntu Security). The vulnerability has also been fixed in the Debian sid release with Firefox version 135.0.1-1 (Debian Security).