CVE-2025-23108
Description
Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Long-pressing a javascript: link in Firefox for iOS to open it in a new tab could allow the destination tab’s URL to be spoofed by a malicious script, patched in version 134.
Vulnerability
CVE-2025-23108 is a URL spoofing vulnerability in Firefox for iOS. When a user long-presses a javascript: link to open it in a new tab, a malicious script could manipulate the address bar of the newly opened tab, displaying a fake URL while the actual content is controlled by the attacker. The root cause lies in how the browser handles the context of javascript: URIs during the new-tab creation flow triggered by a long-press gesture. [1]
Exploitation
Exploitation requires user interaction: the victim must long-press a crafted javascript: link and choose to open it in a new tab. No additional privileges are needed; the attack is performed entirely client-side via a webpage the victim visits. The malicious script then spoofs the address bar of the resulting blank tab to show an arbitrary, legitimate-looking URL. [1]
Impact
A successful attack could trick the victim into believing they are on a trusted site (e.g., a login page or familiar web service). This could be used to facilitate phishing or to deliver further malicious content under the guise of a legitimate domain. The impact is rated moderate by Mozilla due to the required user interaction and the limited scope of address bar spoofing. [1]
Mitigation
Firefox for iOS 134, released January 10, 2025, fixes this vulnerability. Users should update to the latest version from the App Store. No workarounds are documented, and Mozilla's advisory lists no evidence of exploitation in the wild. [1]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- Range: <134
- osv-coords13 versionspkg:deb/ubuntu/firefox@134.0+build1-0ubuntu0.20.04.1?arch=source&distro=focalpkg:deb/ubuntu/mozjs102@102.15.1-0ubuntu0.22.04.1?arch=source&distro=jammypkg:deb/ubuntu/mozjs102@102.15.1-3ubuntu2?arch=source&distro=noblepkg:deb/ubuntu/mozjs115@115.10.0-1?arch=source&distro=noblepkg:deb/ubuntu/mozjs115@115.16.0-1?arch=source&distro=oracularpkg:deb/ubuntu/mozjs38@38.8.0~repack1-0ubuntu4?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/mozjs52@52.9.1-0ubuntu0.18.04.1?arch=source&distro=esm-infra/bionicpkg:deb/ubuntu/mozjs52@52.9.1-1ubuntu3?arch=source&distro=focalpkg:deb/ubuntu/mozjs68@68.6.0-1ubuntu1?arch=source&distro=focalpkg:deb/ubuntu/mozjs78@78.15.0-4ubuntu1?arch=source&distro=jammypkg:deb/ubuntu/mozjs91@91.10.0-0ubuntu1?arch=source&distro=jammypkg:deb/ubuntu/thunderbird@1:115.18.0+build1-0ubuntu0.20.04.1?arch=source&distro=focalpkg:deb/ubuntu/thunderbird@1:115.18.0+build1-0ubuntu0.22.04.1?arch=source&distro=jammy
>= 0+ 12 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.mozilla.org/security/advisories/mfsa2025-06/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdIssue TrackingPermissions Required
News mentions
0No linked articles in our index yet.