Firefox For Security Vulnerabilities
An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox <...
6.1CVSS
6.1AI Score
0.001EPSS
Navigations through the Android-specific intent URL scheme could have been misused to escape iframe sandbox. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox <...
7.4CVSS
7.3AI Score
0.001EPSS
The DOMParser API did not properly process '' elements for escaping. This could be used as an mXSS vector to bypass an HTML Sanitizer. This vulnerability affects Firefox <...
6.1CVSS
6.3AI Score
0.001EPSS
One phishing tactic on the web is to provide a link with HTTP Auth. For example 'https://[email protected]'. To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached.....
8.8CVSS
7.9AI Score
0.002EPSS
When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on...
8.1CVSS
5.4AI Score
0.002EPSS
The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. This vulnerability affects...
6.5CVSS
6.5AI Score
0.001EPSS
Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML...
4.3CVSS
5.5AI Score
0.001EPSS
By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. Note: This issue only affects Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox <....
6.5CVSS
7AI Score
0.001EPSS
When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox <...
6.5CVSS
6.8AI Score
0.006EPSS
When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. Note: This.....
6.5CVSS
7.2AI Score
0.001EPSS
When an extension with the proxy permission registered to receive , the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox &l...
4.3CVSS
5.6AI Score
0.001EPSS
If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the privileges of the browser to read and interact with web content. The feature was implemented as a unix...
6.8CVSS
6.2AI Score
0.002EPSS
OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. This could result in a failure to enforce some certificate revocations. Note: This issue only affected Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox.....
6.5CVSS
6.4AI Score
0.001EPSS
Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. Note: This issue only affected Windows operating systems. Other operating systems are unaffected.. This...
6.5CVSS
6.2AI Score
0.001EPSS
Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was....
6.5CVSS
6.8AI Score
0.001EPSS
When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. This vulnerability...
6.5CVSS
6.5AI Score
0.001EPSS
When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original and subsequent request were in private and non-private browsing modes. Note: This issue only...
6.5CVSS
6.9AI Score
0.001EPSS
When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on...
4.3CVSS
5.5AI Score
0.001EPSS
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This...
5.3CVSS
5.5AI Score
0.001EPSS
During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android <...
4.7CVSS
5.6AI Score
0.0005EPSS
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android <...
4.7CVSS
5.7AI Score
0.0004EPSS
Mozilla developers reported memory safety bugs present in Firefox for Android 79. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 80, Firefox ESR <...
8.8CVSS
8.7AI Score
0.004EPSS
When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to inferring login status....
6.5CVSS
6.3AI Score
0.002EPSS
When typing in a password under certain conditions, a race may have occured where the InputContext was not being correctly set for the input field, resulting in the typed password being saved to the keyboard dictionary. This vulnerability affects Firefox for Android <...
3.1CVSS
4.6AI Score
0.001EPSS
A lock was missing when accessing a data structure and importing certificate information into the trust database. This vulnerability affects Firefox < 80 and Firefox for Android <...
4.3CVSS
5AI Score
0.001EPSS
Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR <.....
6.1CVSS
6.5AI Score
0.006EPSS
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious...
6.5CVSS
6.7AI Score
0.003EPSS
Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). Note: This issue only affected Firefox for Android. Other operating systems are unaffected.. This vulnerability affects...
5.5CVSS
5.1AI Score
0.001EPSS
An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79...
6.5CVSS
6.7AI Score
0.002EPSS
The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firef...
6.5CVSS
6.5AI Score
0.004EPSS
By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68...
6.5CVSS
6.6AI Score
0.003EPSS
A rogue webpage could override the injected WKUserScript used by the logins autofill, this exploit could result in leaking a password for the current domain. This vulnerability affects Firefox for iOS <...
6.5CVSS
5.9AI Score
0.002EPSS
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. Note: This issue only affected Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox ESR....
5.5CVSS
5.2AI Score
0.001EPSS
A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS <...
4.3CVSS
4.2AI Score
0.001EPSS
A rogue webpage could override the injected WKUserScript used by the download feature, this exploit could result in the user downloading an unintended file. This vulnerability affects Firefox for iOS <...
6.5CVSS
5.8AI Score
0.001EPSS
A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins. This vulnerability affects Firefox for <...
7.4CVSS
6.8AI Score
0.002EPSS
When "%2F" was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory. This vulnerability affects Firefox <...
6.5CVSS
6.3AI Score
0.001EPSS
IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode. This vulnerability affects Firefox for iOS <...
6.5CVSS
5.9AI Score
0.001EPSS
For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS <...
4.3CVSS
4.1AI Score
0.001EPSS
An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.1, Thunderbird <...
8.8CVSS
8.2AI Score
0.004EPSS
When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt. This vulnerability affects Firefox <...
6.5CVSS
6.6AI Score
0.001EPSS
For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability affects Firefox for.....
7.5CVSS
7AI Score
0.002EPSS
A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird <...
8.1CVSS
8.4AI Score
0.01EPSS
A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference...
7.5CVSS
8AI Score
0.001EPSS
Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated...
2.8CVSS
5.6AI Score
0.0004EPSS
When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI. Note: This issue only affects Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox ESR.....
4.7CVSS
5.8AI Score
0.001EPSS
When a Web Extension had the all-urls permission and made a fetch request with a mode set to 'same-origin', it was possible for the Web Extension to read local files. This vulnerability affects Firefox <...
7.5CVSS
7.4AI Score
0.002EPSS
When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL (as reported by the document.location property, for example) was the originating javascript: URL which could lead.....
6.5CVSS
6.8AI Score
0.001EPSS
Command line arguments could have been injected during Firefox invocation as a shell handler for certain unsupported file types. This required Firefox to be configured as the default handler for a given file type and for a file downloaded to be opened in a third party application that...
8.8CVSS
8.2AI Score
0.003EPSS
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox <...