VYPR

Firefox for iOS

by Mozilla Corporation

CVEs (58)

  • CVE-2025-27426MedMar 4, 2025
    risk 0.35cvss 5.4epss 0.00

    Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136.

  • CVE-2026-53900MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.

  • CVE-2026-2032MedFeb 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.

  • CVE-2025-5020MedMay 21, 2025
    risk 0.28cvss 4.3epss 0.00

    Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.

  • CVE-2025-27425MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first. This vulnerability was fixed in Firefox for iOS 136.

  • CVE-2025-27424MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page. This vulnerability was fixed in Firefox for iOS 136.

  • CVE-2025-23108MedJan 11, 2025
    risk 0.28cvss 4.3epss 0.00

    Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134.

  • CVE-2025-10859MedSep 30, 2025
    risk 0.26cvss 4.0epss 0.00

    Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs. This vulnerability was fixed in Firefox for iOS 143.1.

  • CVE-2024-53976Nov 26, 2024
    risk 0.00cvss epss 0.00

    Under certain circumstances, navigating to a webpage would result in the address missing from the location URL bar, making it unclear what the URL was for the loaded webpage. This vulnerability affects Firefox for iOS < 133.

  • CVE-2024-53975Nov 26, 2024
    risk 0.00cvss epss 0.00

    Accessing a non-secure HTTP site that uses a non-existent port may cause the SSL padlock icon in the location URL bar to, misleadingly, appear secure. This vulnerability affects Firefox for iOS < 133.

  • CVE-2024-10004Oct 15, 2024
    risk 0.00cvss epss 0.00

    Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This vulnerability affects Firefox for iOS < 131.2.

  • CVE-2024-43111Aug 6, 2024
    risk 0.00cvss epss 0.00

    Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS < 129.

  • CVE-2024-43113Aug 6, 2024
    risk 0.00cvss epss 0.00

    The contextual menu for links could provide an opportunity for cross-site scripting attacks This vulnerability affects Firefox for iOS < 129.

  • CVE-2024-43112Aug 6, 2024
    risk 0.00cvss epss 0.00

    Long pressing on a download link could potentially provide a means for cross-site scripting This vulnerability affects Firefox for iOS < 129.

  • CVE-2024-38312Jun 13, 2024
    risk 0.00cvss epss 0.00

    When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS < 127.

  • CVE-2024-38313Jun 13, 2024
    risk 0.00cvss epss 0.00

    In certain scenarios a malicious website could attempt to display a fake location URL bar which could mislead users as to the actual website address This vulnerability affects Firefox for iOS < 127.

  • CVE-2024-31392Apr 3, 2024
    risk 0.00cvss epss 0.00

    If an insecure element was added to a page after a delay, Firefox would not replace the secure icon with a mixed content security status This vulnerability affects Firefox for iOS < 124.

  • CVE-2024-31393Apr 3, 2024
    risk 0.00cvss epss 0.00

    Dragging Javascript URLs to the address bar could cause them to be loaded, bypassing restrictions and security protections This vulnerability affects Firefox for iOS < 124.

  • CVE-2024-26281Feb 22, 2024
    risk 0.00cvss epss 0.00

    Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. This vulnerability affects Firefox for iOS < 123.

  • CVE-2024-26282Feb 22, 2024
    risk 0.00cvss epss 0.00

    Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. This vulnerability affects Firefox for iOS < 123.