CVE-2024-43111: Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS < 129.

CVE-2024-43111 [MEDIUM] CVE-2024-43111: Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS < 129.

CVE-2024-43111 [CRITICAL] CWE-79 GHSA-cr8r-7g9p-hcx6: Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS < 129.

CVE-2024-43111 [MEDIUM] CVE-2024-43111: firefox - Long pressing on a download link could potentially allow Javascript commands to ... Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS < 129. Scope: local sid: resolved

CVE-2024-43111 [MEDIUM] Mozilla Foundation Security Advisory 2024-36: CVE-2024-43111 Mozilla Foundation Security Advisory 2024-36 CVE: CVE-2024-43111 Product: Firefox for iOS Impact: low Fixed in: Firefox for iOS 129

iOS Firefox allows to run javascript with download iOS Firefox allows to run javascript with download We are able to run javascript URI from link through download which should be prevented. Discussion: Created attachment 9373057 1874907.html --- On it's own running javascript for the download isn't all that terrible, since the site could have various event handlers that ran scripts. It's wrong, of course, and in subsequent bugs you found worse things to do with it, but on it's own running script just here in this testcase I'd normally call "sec-low". I strongly suspect that this is yet another feature that doesn't go through a CENTRALIZED "is web content allowed to do this" check, and that you could also "download" a file:// URL (not very useful) or maybe some kind of internal deeplink that would cause a command to run. We need to st