Mozilla Foundation Security Advisory 2024-09

Security Vulnerabilities fixed in Focus for iOS 122

Announced

February 19, 2024

Impact

high

Products

Focus for iOS

Fixed in

Focus for iOS 122

Note: CVE-2024-1563 was fixed in Focus for iOS 122, released on January 22, 2024; but was not announced until February 19, 2023

#CVE-2024-1563: UXSS exploit using a timeout after externally opening the application from a custom Focus scheme

Reporter: James Lee
Impact: high

Description

An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme and a timeout race condition.

References

Bug 1863831

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising