CVE-2023-29546
Description
When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potentially leaking sensitive information.
*This bug only affects Firefox for Android. Other operating systems are unaffected.* This vulnerability affects Firefox for Android < 112 and Focus for Android < 112.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Firefox for Android and Focus for Android below version 112, screen recording in Private Browsing mode fails to hide the address bar and keyboard, potentially leaking sensitive information.
Vulnerability
In Firefox for Android and Focus for Android versions prior to 112, a failure in the incognito screen recording protection mechanism leaves the address bar and keyboard visible during screen recording. The bug is tracked in Bugzilla as Bug 1780842 [2]. Official advisory confirms the issue only affects these mobile platforms, not other operating systems [1].
Exploitation
An attacker with the ability to record the victim's screen (e.g., via screen recording apps installed on the device, or via maliciously obtained screen recordings) can capture the address bar and keyboard content. No special network position or authentication beyond local access to the device's screen output is required. The exploit assumes the victim has enabled screenshot blocking in Private Browsing, but the address bar is not covered by this protection, leaving sensitive URLs and input visible [2].
Impact
Successful exploitation leads to information disclosure: the attacker can read sensitive parameters, access tokens, emails, passwords, and other secrets typed into the address bar or keyboard during a screen recording session. The underlying data is not otherwise protected by encryption in the address bar display [2].
Mitigation
Users should update to Firefox for Android 112 or Focus for Android 112, released on April 11, 2023, which fixes this issue [1]. No workaround is available for unpatched versions.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 112.0.1-1.1
Patches
1770b09a76b5eVersion bump to 112.0
5 files changed · +5 −5
Blockzilla/Info.plist+1 −1 modified@@ -15,7 +15,7 @@ <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> - <string>9000</string> + <string>112.0</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleURLTypes</key>
ContentBlocker/Info.plist+1 −1 modified@@ -17,7 +17,7 @@ <key>CFBundlePackageType</key> <string>XPC!</string> <key>CFBundleShortVersionString</key> - <string>9000</string> + <string>112.0</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleVersion</key>
FocusIntentExtension/Info.plist+1 −1 modified@@ -17,7 +17,7 @@ <key>CFBundlePackageType</key> <string>XPC!</string> <key>CFBundleShortVersionString</key> - <string>9000</string> + <string>112.0</string> <key>CFBundleVersion</key> <string>1</string> <key>NSExtension</key>
OpenInFocus/Info.plist+1 −1 modified@@ -17,7 +17,7 @@ <key>CFBundlePackageType</key> <string>XPC!</string> <key>CFBundleShortVersionString</key> - <string>9000</string> + <string>112.0</string> <key>CFBundleVersion</key> <string>1</string> <key>NSExtension</key>
Widgets/Info.plist+1 −1 modified@@ -3,7 +3,7 @@ <plist version="1.0"> <dict> <key>CFBundleShortVersionString</key> - <string>9000</string> + <string>112.0</string> <key>NSExtension</key> <dict> <key>NSExtensionPointIdentifier</key>
Vulnerability mechanics
Root cause
"The browser fails to hide the address bar and keyboard UI elements during screen recording while in Private Browsing mode on Android."
Attack vector
An attacker who gains the ability to record the screen of a victim's device (e.g., through a malicious screen-recording app or physical access) can capture the address bar and keyboard while the victim is browsing in Private Browsing mode on Firefox for Android or Focus for Android. The browser fails to hide these UI elements during recording, leaking the URL being visited and any text typed into the address bar or keyboard. No network-based exploitation is required; the attack relies on local screen-capture access. The advisory does not specify whether the attacker needs any additional permissions beyond screen-recording capability.
Affected code
The advisory describes a behavioral defect in Firefox for Android and Focus for Android where the address bar and keyboard remain visible during screen recording in Private Browsing mode. The supplied patch only bumps version strings in Info.plist files for the Focus-iOS repository and does not contain any code change that addresses the screen-recording behavior. Therefore the patch does not show the affected code path; the vulnerability exists in the Android-specific UI layer that controls visibility of the address bar and keyboard during screen capture.
What the fix does
The supplied patch [patch_id=1666564] only increments the CFBundleShortVersionString from "9000" to "112.0" across several Info.plist files in the Focus-iOS repository. This is a version bump and does not contain any code change that addresses the screen-recording vulnerability described in the advisory. The actual fix for the Android-specific issue is not present in this patch; the advisory notes that the vulnerability affects Firefox for Android and Focus for Android, while the patch targets an iOS repository. Therefore the patch does not explain how the vulnerability was closed.
Preconditions
- configThe victim must be using Firefox for Android or Focus for Android in Private Browsing mode.
- inputThe attacker must have the ability to record the device screen (e.g., via a malicious app with screen-capture permission or physical access).
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.