CVE-2020-6827 — UI Misrepresentation / Clickjacking in Mozilla Firefox ESR

CWE-1021 — UI Misrepresentation / Clickjacking CWE-20 — Improper Input Validation CWE-451 — User Interface (UI) Misrepresentation of Critical Information7 documents7 sources

Severity

4.7MEDIUMNVD

EPSS

0.3%

top 44.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox ESR

Timeline

PublishedApr 24

Latest updateMay 24

Description

When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5mozilla/firefox_esrunspecified — 68.7

▶NVDmozilla/firefox_esr< 68.7.0

🔴Vulnerability Details

GHSA

GHSA-xvx2-w5pj-9472: When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying th↗2022-05-24

▶

CVEList

CVE-2020-6827: When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying th↗2020-04-24

▶

📋Vendor Advisories

Red Hat

Mozilla: Custom Tabs in Firefox for Android could have the URI spoofed↗2020-04-08

▶

Debian

CVE-2020-6827: firefox-esr - When following a link that opened an intent://-schemed URL, causing a custom tab...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-13: CVE-2020-6827↗

▶

💬Community

Bugzilla

CVE-2020-6827 Mozilla: Custom Tabs in Firefox for Android could have the URI spoofed↗2020-04-07

▶