VYPR

Firefox for Android

by Mozilla Corporation

Source repositories

CVEs (95)

  • CVE-2022-26486CriKEVDec 22, 2022
    risk 0.75cvss 9.6epss 0.02

    An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0,…

  • CVE-2022-26485HigKEVDec 22, 2022
    risk 0.70cvss 8.8epss 0.14

    Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and…

  • CVE-2026-2800CriFeb 24, 2026
    risk 0.64cvss 9.8epss 0.00

    Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

  • CVE-2025-8042CriAug 19, 2025
    risk 0.64cvss 9.8epss 0.00

    Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.

  • CVE-2021-29971CriAug 5, 2021
    risk 0.64cvss 9.8epss 0.01

    If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This…

  • CVE-2022-1802HigDec 22, 2022
    risk 0.59cvss 8.8epss 0.27

    If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox…

  • CVE-2022-1529HigDec 22, 2022
    risk 0.59cvss 8.8epss 0.17

    An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects…

  • CVE-2023-29551HigJun 2, 2023
    risk 0.57cvss 8.8epss 0.01

    Memory safety bugs present in Firefox 111. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus…

  • CVE-2023-29550HigJun 2, 2023
    risk 0.57cvss 8.8epss 0.01

    Memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 112, Focus for…

  • CVE-2023-29543HigJun 2, 2023
    risk 0.57cvss 8.8epss 0.01

    An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.

  • CVE-2023-29541HigJun 2, 2023
    risk 0.57cvss 8.8epss 0.01

    Firefox did not properly handle downloads of files ending in .desktop, which can be interpreted to run attacker-controlled commands. *This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable…

  • CVE-2023-29539HigJun 2, 2023
    risk 0.57cvss 8.8epss 0.01

    When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. This vulnerability affects…

  • CVE-2023-29536HigJun 2, 2023
    risk 0.57cvss 8.8epss 0.01

    An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR <…

  • CVE-2022-22758HigDec 22, 2022
    risk 0.57cvss 8.8epss 0.00

    When clicking on a tel: link, USSD codes, specified after a \* character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request…

  • CVE-2021-29973HigAug 5, 2021
    risk 0.57cvss 8.8epss 0.01

    Password autofill was enabled without user interaction on insecure websites on Firefox for Android. This was corrected to require user interaction with the page before a user's password would be entered by the browser's autofill functionality *This bug only affects Firefox for…

  • CVE-2020-15670HigOct 1, 2020
    risk 0.57cvss 8.8epss 0.01

    Mozilla developers reported memory safety bugs present in Firefox for Android 79. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox <…

  • CVE-2018-12391HigFeb 28, 2019
    risk 0.57cvss 8.8epss 0.02

    During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to…

  • CVE-2024-4765HigMay 14, 2024
    risk 0.53cvss 8.1epss 0.00

    Web application manifests were stored by using an insecure MD5 hash which allowed for a hash collision to overwrite another application's manifest. This could have been exploited to run arbitrary code in another application's context. *This issue only affects Firefox for…

  • CVE-2022-34469HigDec 22, 2022
    risk 0.53cvss 8.1epss 0.00

    When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user…

  • CVE-2021-29993HigNov 3, 2021
    risk 0.53cvss 8.1epss 0.01

    Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92.

Page 1 of 5