Mozilla Firefox For Ios vulnerabilities

CVE-2022-31746 [MEDIUM] CWE-200 CVE-2022-31746: Internal URLs are protected by a secret UUID key, which could have been leaked to web page through t Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header. This vulnerability affects Firefox for iOS < 102.

CVE-2021-29958 [MEDIUM] CWE-862 CVE-2021-29958: When a download was initiated, the client did not check whether it was in normal or private browsing When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. This vulnerability affects Firefox for iOS < 34.

CVE-2020-15661 [MEDIUM] CWE-522 CVE-2020-15661: A rogue webpage could override the injected WKUserScript used by the logins autofill, this exploit c A rogue webpage could override the injected WKUserScript used by the logins autofill, this exploit could result in leaking a password for the current domain. This vulnerability affects Firefox for iOS < 28.

CVE-2020-15651 [MEDIUM] CVE-2020-15651: A unicode RTL order character in the downloaded file name can be used to change the file's name duri A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS < 28.

CVE-2020-15662 [MEDIUM] CVE-2020-15662: A rogue webpage could override the injected WKUserScript used by the download feature, this exploit A rogue webpage could override the injected WKUserScript used by the download feature, this exploit could result in the user downloading an unintended file. This vulnerability affects Firefox for iOS < 28.

CVE-2020-12404 [MEDIUM] CWE-79 CVE-2020-12404: For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26.

CVE-2020-12414 [MEDIUM] CWE-459 CVE-2020-12414: IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewC IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode. This vulnerability affects Firefox for iOS < 27.

CVE-2020-6830 [HIGH] CWE-200 CVE-2020-6830: For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code ca For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability affects Firefox for iOS < 25.