CVE-2024-9391: 
NixOS vulnerability analysis and mitigation

CVE-2024-9391 is a security vulnerability discovered in Firefox Focus for Android that affects versions prior to Firefox 131. The vulnerability was reported by James Lee and disclosed on October 1, 2024. The issue specifically affects the full-screen functionality in Firefox Focus for Android, while other versions of Firefox are unaffected (Mozilla Advisory, NVD).

The vulnerability allows a user who enables full-screen mode on a specially crafted web page to be potentially prevented from exiting full-screen mode. This creates a security risk as the address bar becomes no longer visible, which could enable spoofing attacks. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (CISA Advisory).

The primary impact of this vulnerability is the potential for website spoofing attacks. When exploited, the vulnerability prevents users from exiting full-screen mode, making the address bar invisible. This could allow malicious actors to create convincing spoofing attacks as users cannot verify the actual website address they are visiting (Mozilla Advisory).

The vulnerability has been fixed in Firefox 131. Users of Firefox Focus for Android should update their browser to version 131 or later to mitigate this security risk (Mozilla Advisory).