CVE-2024-7518: 
NixOS vulnerability analysis and mitigation

CVE-2024-7518 is a security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that allows select options to obscure the fullscreen notification dialog. The vulnerability was disclosed on August 6, 2024, affecting Firefox versions below 129, Firefox ESR versions below 128.1, and Thunderbird versions below 128.1 (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with no impact on confidentiality, high impact on integrity, and no impact on availability (NVD).

The vulnerability could be exploited by a malicious site to perform a spoofing attack by obscuring the fullscreen notification dialog. In Thunderbird, these flaws cannot be exploited through email since scripting is disabled when reading mail, but they remain potential risks in browser or browser-like contexts (Mozilla Advisory).

The vulnerability has been fixed in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Users are advised to update their software to these versions or newer to mitigate the risk (Mozilla Advisory, Mozilla Advisory, Mozilla Advisory).