Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2016-05

Addressbar spoofing through stored data url shortcuts on Firefox for Android

Announced
January 26, 2016
Reporter
Muneaki Nishimura
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 44

Description

Security researcher Muneaki Nishimura reported an issue with displayed URLs and bookmarks on Firefox for Android. If a data: URL is opened from a stored shortcut on the homescreen or from a BOOKMARK intent from another installed Android application, the addressbar continues to show the data: url even if the content redirects to another page, hiding the true origin of the content. This was due to an error in how hosts were handled with data: URLs.

This issue only affects Firefox for Android. Firefox on other operating systems is not affected.

References