Mozilla Foundation Security Advisory 2024-08

Security Vulnerabilities fixed in Firefox for iOS 123

Announced
February 19, 2024
Impact
moderate
Products
Firefox for iOS
Fixed in
  • Firefox for iOS 123

#CVE-2024-26283: Address bar spoofing using Firefox custom open URL scheme

Reporter
Muneaki Nishimura
Impact
moderate
Description

An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme.

References

#CVE-2024-26282: UXSS through a canonical element

Reporter
Muneaki Nishimura
Impact
moderate
Description

Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page.

References

#CVE-2024-26281: QR code scanner allowed executing a JavaScript URI

Reporter
James Lee
Impact
moderate
Description

Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar.

References