Firefox for Android
Source repositories
CVEs (89)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-36317 | Med | 0.42 | 6.5 | 0.00 | Dec 22, 2022 | When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects… | ||
| CVE-2021-29983 | Med | 0.42 | 6.5 | 0.01 | Aug 17, 2021 | Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91. | ||
| CVE-2020-26977 | Med | 0.42 | 6.5 | 0.01 | Jan 7, 2021 | By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability… | ||
| CVE-2020-26975 | Med | 0.42 | 6.5 | 0.01 | Jan 7, 2021 | When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed… | ||
| CVE-2020-26957 | Med | 0.42 | 6.5 | 0.01 | Dec 9, 2020 | OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. This could result in a failure to enforce some certificate revocations. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This… | ||
| CVE-2020-26955 | Med | 0.42 | 6.5 | 0.01 | Dec 9, 2020 | When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original and subsequent request were in private and non-private browsing modes. *Note:… | ||
| CVE-2020-15666 | Med | 0.42 | 6.5 | 0.01 | Oct 1, 2020 | When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to… | ||
| CVE-2020-15664 | Med | 0.42 | 6.5 | 0.01 | Oct 1, 2020 | By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended… | ||
| CVE-2023-29540 | Med | 0.40 | 6.1 | 0.00 | Jun 2, 2023 | Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus… | ||
| CVE-2022-45413 | Med | 0.40 | 6.1 | 0.00 | Dec 22, 2022 | Using the S.browser_fallback_url parameter parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.*This issue only affects Firefox for Android. Other operating systems are not affected.*. This vulnerability affects… | ||
| CVE-2022-29910 | Med | 0.40 | 6.1 | 0.00 | Dec 22, 2022 | When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.*Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 100. | ||
| CVE-2021-43530 | Med | 0.40 | 6.1 | 0.01 | Dec 8, 2021 | A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94. | ||
| CVE-2021-29953 | Med | 0.40 | 6.1 | 0.01 | Jun 24, 2021 | A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. *Note: This issue only affected Firefox for Android. Other operating… | ||
| CVE-2021-29944 | Med | 0.40 | 6.1 | 0.01 | Jun 24, 2021 | Lack of escaping allowed HTML injection when a webpage was viewed in Reader View. While a Content Security Policy prevents direct code execution, HTML injection is still possible. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This… | ||
| CVE-2021-23959 | Med | 0.40 | 6.1 | 0.01 | Feb 26, 2021 | An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 85. | ||
| CVE-2020-15650 | Med | 0.36 | 5.5 | 0.01 | Aug 10, 2020 | Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This… | ||
| CVE-2020-15649 | Med | 0.36 | 5.5 | 0.01 | Aug 10, 2020 | Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This… | ||
| CVE-2023-29546 | Med | 0.35 | 6.5 | 0.00 | Jun 19, 2023 | When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potentially leaking sensitive information. *This bug only affects Firefox for Android. Other operating systems are unaffected.* This vulnerability affects… | ||
| CVE-2021-29965 | Med | 0.35 | 5.3 | 0.01 | Jun 24, 2021 | A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other… | ||
| CVE-2021-23977 | Med | 0.35 | 5.3 | 0.01 | Feb 26, 2021 | Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. This vulnerability… |
- risk 0.42cvss 6.5epss 0.00
When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects…
- risk 0.42cvss 6.5epss 0.01
Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91.
- risk 0.42cvss 6.5epss 0.01
By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability…
- risk 0.42cvss 6.5epss 0.01
When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed…
- risk 0.42cvss 6.5epss 0.01
OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. This could result in a failure to enforce some certificate revocations. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This…
- risk 0.42cvss 6.5epss 0.01
When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original and subsequent request were in private and non-private browsing modes. *Note:…
- risk 0.42cvss 6.5epss 0.01
When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to…
- risk 0.42cvss 6.5epss 0.01
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended…
- risk 0.40cvss 6.1epss 0.00
Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus…
- risk 0.40cvss 6.1epss 0.00
Using the S.browser_fallback_url parameter parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.*This issue only affects Firefox for Android. Other operating systems are not affected.*. This vulnerability affects…
- risk 0.40cvss 6.1epss 0.00
When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.*Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 100.
- risk 0.40cvss 6.1epss 0.01
A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94.
- risk 0.40cvss 6.1epss 0.01
A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. *Note: This issue only affected Firefox for Android. Other operating…
- risk 0.40cvss 6.1epss 0.01
Lack of escaping allowed HTML injection when a webpage was viewed in Reader View. While a Content Security Policy prevents direct code execution, HTML injection is still possible. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This…
- risk 0.40cvss 6.1epss 0.01
An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 85.
- risk 0.36cvss 5.5epss 0.01
Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This…
- risk 0.36cvss 5.5epss 0.01
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This…
- risk 0.35cvss 6.5epss 0.00
When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potentially leaking sensitive information. *This bug only affects Firefox for Android. Other operating systems are unaffected.* This vulnerability affects…
- risk 0.35cvss 5.3epss 0.01
A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other…
- risk 0.35cvss 5.3epss 0.01
Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. This vulnerability…
Page 3 of 5