Firefox for iOS
CVEs (58)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2634 | Cri | 0.64 | 9.8 | 0.00 | Feb 24, 2026 | Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4. | ||
| CVE-2025-55031 | Cri | 0.64 | 9.8 | 0.00 | Aug 19, 2025 | Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This… | ||
| CVE-2025-54143 | Cri | 0.64 | 9.8 | 0.00 | Aug 19, 2025 | Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. This vulnerability was fixed in Firefox for iOS 141. | ||
| CVE-2023-49060 | Cri | 0.64 | 9.8 | 0.01 | Nov 21, 2023 | An attacker could have accessed internal pages or data by ex-filtrating a security key from ReaderMode via the `referrerpolicy` attribute. This vulnerability affects Firefox for iOS < 120. | ||
| CVE-2022-1887 | Cri | 0.64 | 9.8 | 0.01 | Dec 22, 2022 | The search term could have been specified externally to trigger SQL injection. This vulnerability affects Firefox for iOS < 101. | ||
| CVE-2017-14876 | Cri | 0.64 | 9.8 | 0.01 | Mar 30, 2018 | In msm_ispif_config_stereo() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-21, the parameter params->entries[i].vfe_intf comes from userspace without any bounds check which could potentially result in a kernel out-of-bounds write. | ||
| CVE-2017-14918 | Cri | 0.64 | 9.8 | 0.01 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the GPS location wireless interface, a Use After Free condition can occur. | ||
| CVE-2017-14917 | Cri | 0.64 | 9.8 | 0.01 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer sizes in the message passing interface are not properly validated. | ||
| CVE-2025-54145 | Cri | 0.59 | 9.1 | 0.00 | Aug 19, 2025 | The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme. This vulnerability was fixed in Firefox for iOS 141. | ||
| CVE-2024-10004 | Cri | 0.59 | 9.1 | 0.00 | Oct 15, 2024 | Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This vulnerability affects Firefox for iOS < 131.2. | ||
| CVE-2024-26283 | Hig | 0.51 | 7.8 | 0.00 | Feb 22, 2024 | An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. This vulnerability affects Firefox for iOS < 123. | ||
| CVE-2017-14892 | Hig | 0.51 | 7.8 | 0.00 | Mar 30, 2018 | In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-19, the return value of q6asm_open_shared_io() is not checked properly potentially leading to a possible dangling pointer access. | ||
| CVE-2017-11081 | Hig | 0.51 | 7.8 | 0.00 | Jan 10, 2018 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can… | ||
| CVE-2025-55029 | Hig | 0.49 | 7.5 | 0.00 | Aug 19, 2025 | Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142. | ||
| CVE-2024-31392 | Hig | 0.49 | 7.5 | 0.00 | Apr 3, 2024 | If an insecure element was added to a page after a delay, Firefox would not replace the secure icon with a mixed content security status This vulnerability affects Firefox for iOS < 124. | ||
| CVE-2020-6830 | Hig | 0.49 | 7.5 | 0.01 | May 26, 2020 | For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability… | ||
| CVE-2017-14875 | Hig | 0.49 | 7.5 | 0.01 | Mar 30, 2018 | In the handler for the ioctl command VIDIOC_MSM_ISP_DUAL_HW_LPM_MODE in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-05-23, a heap overread vulnerability exists. | ||
| CVE-2020-15647 | Hig | 0.48 | 7.4 | 0.01 | Aug 10, 2020 | A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins. This vulnerability affects Firefox for < Android. | ||
| CVE-2024-26282 | Hig | 0.46 | 7.1 | 0.00 | Feb 22, 2024 | Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. This vulnerability affects Firefox for iOS < 123. | ||
| CVE-2026-53899 | Med | 0.42 | 6.5 | 0.00 | Jun 16, 2026 | Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0. |
- risk 0.64cvss 9.8epss 0.00
Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4.
- risk 0.64cvss 9.8epss 0.00
Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This…
- risk 0.64cvss 9.8epss 0.00
Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. This vulnerability was fixed in Firefox for iOS 141.
- risk 0.64cvss 9.8epss 0.01
An attacker could have accessed internal pages or data by ex-filtrating a security key from ReaderMode via the `referrerpolicy` attribute. This vulnerability affects Firefox for iOS < 120.
- risk 0.64cvss 9.8epss 0.01
The search term could have been specified externally to trigger SQL injection. This vulnerability affects Firefox for iOS < 101.
- risk 0.64cvss 9.8epss 0.01
In msm_ispif_config_stereo() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-21, the parameter params->entries[i].vfe_intf comes from userspace without any bounds check which could potentially result in a kernel out-of-bounds write.
- risk 0.64cvss 9.8epss 0.01
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the GPS location wireless interface, a Use After Free condition can occur.
- risk 0.64cvss 9.8epss 0.01
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer sizes in the message passing interface are not properly validated.
- risk 0.59cvss 9.1epss 0.00
The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme. This vulnerability was fixed in Firefox for iOS 141.
- risk 0.59cvss 9.1epss 0.00
Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This vulnerability affects Firefox for iOS < 131.2.
- risk 0.51cvss 7.8epss 0.00
An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. This vulnerability affects Firefox for iOS < 123.
- risk 0.51cvss 7.8epss 0.00
In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-19, the return value of q6asm_open_shared_io() is not checked properly potentially leading to a possible dangling pointer access.
- risk 0.51cvss 7.8epss 0.00
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can…
- risk 0.49cvss 7.5epss 0.00
Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142.
- risk 0.49cvss 7.5epss 0.00
If an insecure element was added to a page after a delay, Firefox would not replace the secure icon with a mixed content security status This vulnerability affects Firefox for iOS < 124.
- risk 0.49cvss 7.5epss 0.01
For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability…
- risk 0.49cvss 7.5epss 0.01
In the handler for the ioctl command VIDIOC_MSM_ISP_DUAL_HW_LPM_MODE in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-05-23, a heap overread vulnerability exists.
- risk 0.48cvss 7.4epss 0.01
A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins. This vulnerability affects Firefox for < Android.
- risk 0.46cvss 7.1epss 0.00
Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. This vulnerability affects Firefox for iOS < 123.
- risk 0.42cvss 6.5epss 0.00
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.
Page 1 of 3