Mozilla Firefox For Ios vulnerabilities

CVE-2026-2634 [CRITICAL] CWE-451 CVE-2026-2634: Malicious scripts could cause desynchronization between the address bar and web content before a res Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability affects Firefox for iOS < 147.4.

CVE-2026-2032 [MEDIUM] CWE-451 CVE-2026-2032: Malicious scripts that interrupt new tab page loading could cause desynchronization between the addr Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability affects Firefox for iOS < 147.2.1.

CVE-2025-14744 [MEDIUM] CWE-451 CVE-2025-14744: Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Fi Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.

CVE-2025-10859 [MEDIUM] CWE-359 CVE-2025-10859: Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing co Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs This vulnerability affects Firefox for iOS < 143.1.

CVE-2025-54145 [CRITICAL] CWE-601 CVE-2025-54145: The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a mal The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme This vulnerability affects Firefox for iOS < 141.

CVE-2025-55031 [CRITICAL] CWE-601 CVE-2025-55031: Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passk Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142.

CVE-2025-54143 [CRITICAL] CWE-693 CVE-2025-54143: Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expecte Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page This vulnerability affects Firefox for iOS < 141.

CVE-2025-55029 [HIGH] CWE-400 CVE-2025-55029: Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial o Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142.

CVE-2025-55030 [MEDIUM] CWE-640 CVE-2025-55030: Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrec Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks This vulnerability affects Firefox for iOS < 142.

CVE-2025-55028 [MEDIUM] CWE-400 CVE-2025-55028: Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in so Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in some scenarios and allow for denial of service attacks This vulnerability affects Firefox for iOS < 142.

CVE-2025-54144 [MEDIUM] CWE-601 CVE-2025-54144: The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attac The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link This vulnerability affects Firefox for iOS < 141.

CVE-2025-5020 [MEDIUM] CWE-939 CVE-2025-5020: Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attack Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client This vulnerability affects Firefox for iOS < 139.

CVE-2025-27426 [MEDIUM] CWE-601 CVE-2025-27426: Malicious websites utilizing a server-side redirect to an internal error page could result in a spoo Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL This vulnerability affects Firefox for iOS < 136.

CVE-2025-27424 [MEDIUM] CWE-601 CVE-2025-27424: Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a mali Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page This vulnerability affects Firefox for iOS < 136.

CVE-2025-27425 [MEDIUM] CWE-287 CVE-2025-27425: Scanning certain QR codes that included text with a website URL could allow the URL to be opened wit Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first This vulnerability affects Firefox for iOS < 136.

CVE-2025-23108 [MEDIUM] CWE-79 CVE-2025-23108: Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a mal Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS < 134.

CVE-2025-23109 [MEDIUM] CWE-346 CVE-2025-23109: Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the web Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134.

CVE-2024-53976 [MEDIUM] CWE-1021 CVE-2024-53976: Under certain circumstances, navigating to a webpage would result in the address missing from the lo Under certain circumstances, navigating to a webpage would result in the address missing from the location URL bar, making it unclear what the URL was for the loaded webpage. This vulnerability affects Firefox for iOS < 133.

CVE-2024-53975 [MEDIUM] CVE-2024-53975: Accessing a non-secure HTTP site that uses a non-existent port may cause the SSL padlock icon in the Accessing a non-secure HTTP site that uses a non-existent port may cause the SSL padlock icon in the location URL bar to, misleadingly, appear secure. This vulnerability affects Firefox for iOS < 133.

CVE-2024-10004 [CRITICAL] CWE-1021 CVE-2024-10004: Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This vulnerability affects Firefox for iOS < 131.2.