Firefox for iOS
CVEs (58)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2634 | Cri | 0.64 | 9.8 | 0.00 | Feb 24, 2026 | Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4. | ||
| CVE-2025-55031 | Cri | 0.64 | 9.8 | 0.00 | Aug 19, 2025 | Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This… | ||
| CVE-2025-54143 | Cri | 0.64 | 9.8 | 0.00 | Aug 19, 2025 | Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. This vulnerability was fixed in Firefox for iOS 141. | ||
| CVE-2017-14876 | Cri | 0.64 | 9.8 | 0.01 | Mar 30, 2018 | In msm_ispif_config_stereo() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-21, the parameter params->entries[i].vfe_intf comes from userspace without any bounds check which could potentially result in a kernel out-of-bounds write. | ||
| CVE-2017-14918 | Cri | 0.64 | 9.8 | 0.01 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the GPS location wireless interface, a Use After Free condition can occur. | ||
| CVE-2017-14917 | Cri | 0.64 | 9.8 | 0.01 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer sizes in the message passing interface are not properly validated. | ||
| CVE-2025-54145 | Cri | 0.59 | 9.1 | 0.00 | Aug 19, 2025 | The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme. This vulnerability was fixed in Firefox for iOS 141. | ||
| CVE-2017-14892 | Hig | 0.51 | 7.8 | 0.00 | Mar 30, 2018 | In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-19, the return value of q6asm_open_shared_io() is not checked properly potentially leading to a possible dangling pointer access. | ||
| CVE-2017-11081 | Hig | 0.51 | 7.8 | 0.00 | Jan 10, 2018 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can… | ||
| CVE-2025-55029 | Hig | 0.49 | 7.5 | 0.00 | Aug 19, 2025 | Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142. | ||
| CVE-2017-14875 | Hig | 0.49 | 7.5 | 0.01 | Mar 30, 2018 | In the handler for the ioctl command VIDIOC_MSM_ISP_DUAL_HW_LPM_MODE in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-05-23, a heap overread vulnerability exists. | ||
| CVE-2026-53899 | Med | 0.42 | 6.5 | 0.00 | Jun 16, 2026 | Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0. | ||
| CVE-2026-8706 | Med | 0.42 | 6.5 | 0.00 | May 19, 2026 | Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0. | ||
| CVE-2025-14744 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0. | ||
| CVE-2025-23109 | Med | 0.42 | 6.5 | 0.00 | Jan 11, 2025 | Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134. | ||
| CVE-2025-55030 | Med | 0.40 | 6.1 | 0.00 | Aug 19, 2025 | Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks. This vulnerability was fixed in Firefox for iOS 142. | ||
| CVE-2026-9309 | Med | 0.35 | 5.4 | 0.00 | Jun 1, 2026 | Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in… | ||
| CVE-2026-9308 | Med | 0.35 | 5.4 | 0.00 | Jun 1, 2026 | Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This… | ||
| CVE-2026-9078 | Med | 0.35 | 5.4 | 0.00 | May 25, 2026 | Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as… | ||
| CVE-2025-54144 | Med | 0.35 | 5.4 | 0.00 | Aug 19, 2025 | The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link. This vulnerability was fixed in Firefox for iOS 141. |
- risk 0.64cvss 9.8epss 0.00
Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4.
- risk 0.64cvss 9.8epss 0.00
Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This…
- risk 0.64cvss 9.8epss 0.00
Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. This vulnerability was fixed in Firefox for iOS 141.
- risk 0.64cvss 9.8epss 0.01
In msm_ispif_config_stereo() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-21, the parameter params->entries[i].vfe_intf comes from userspace without any bounds check which could potentially result in a kernel out-of-bounds write.
- risk 0.64cvss 9.8epss 0.01
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the GPS location wireless interface, a Use After Free condition can occur.
- risk 0.64cvss 9.8epss 0.01
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer sizes in the message passing interface are not properly validated.
- risk 0.59cvss 9.1epss 0.00
The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme. This vulnerability was fixed in Firefox for iOS 141.
- risk 0.51cvss 7.8epss 0.00
In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-19, the return value of q6asm_open_shared_io() is not checked properly potentially leading to a possible dangling pointer access.
- risk 0.51cvss 7.8epss 0.00
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can…
- risk 0.49cvss 7.5epss 0.00
Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142.
- risk 0.49cvss 7.5epss 0.01
In the handler for the ioctl command VIDIOC_MSM_ISP_DUAL_HW_LPM_MODE in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-05-23, a heap overread vulnerability exists.
- risk 0.42cvss 6.5epss 0.00
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.
- risk 0.42cvss 6.5epss 0.00
Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.
- risk 0.42cvss 6.5epss 0.00
Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0.
- risk 0.42cvss 6.5epss 0.00
Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134.
- risk 0.40cvss 6.1epss 0.00
Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks. This vulnerability was fixed in Firefox for iOS 142.
- risk 0.35cvss 5.4epss 0.00
Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in…
- risk 0.35cvss 5.4epss 0.00
Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This…
- risk 0.35cvss 5.4epss 0.00
Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as…
- risk 0.35cvss 5.4epss 0.00
The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link. This vulnerability was fixed in Firefox for iOS 141.
Page 1 of 3