Mozilla

Mozilla Foundation Security Advisory 2016-05

Addressbar spoofing through stored data url shortcuts on Firefox for Android

Announced
January 26, 2016
Reporter
Muneaki Nishimura
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 44

Description

Security researcher Muneaki Nishimura reported an issue with displayed URLs and bookmarks on Firefox for Android. If a data: URL is opened from a stored shortcut on the homescreen or from a BOOKMARK intent from another installed Android application, the addressbar continues to show the data: url even if the content redirects to another page, hiding the true origin of the content. This was due to an error in how hosts were handled with data: URLs.

This issue only affects Firefox for Android. Firefox on other operating systems is not affected.

References