CVE-2024-8388: 
NixOS vulnerability analysis and mitigation

Multiple prompts and panels from both Firefox and the Android OS could be used to obscure the notification announcing the transition to fullscreen mode after the fix for CVE-2023-6870 in Firefox 121. This vulnerability, tracked as CVE-2024-8388, affects Firefox versions prior to 130 specifically on Android devices, while other operating systems remain unaffected (Mozilla Advisory).

The vulnerability stems from the interaction between Firefox's fullscreen notification system and various UI elements on Android. After implementing a fix for a previous vulnerability (CVE-2023-6870) in Firefox 121, the notification system could still be manipulated through multiple prompts and panels from both Firefox and Android OS. As a mitigation, these notifications now use the Android Toast feature. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability could lead to spoofing of the browser UI. If exploited, an attacker could potentially trick users by obscuring the fullscreen transition notification, as the sudden appearance of prompts could distract users from noticing the visual transition happening behind the prompt (Mozilla Advisory).

The vulnerability has been fixed in Firefox version 130. Users should update their Android Firefox installations to this version or later. The fix implements the use of Android Toast feature for these notifications, which provides a more secure way of displaying the fullscreen transition notification (Mozilla Advisory).