Main Vulnerability Database SB2021022317

SB2021022317 - Multiple vulnerabilities in Mozilla Firefox for Android

Published: February 23, 2021

Security Bulletin ID SB2021022317

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2021-23977)

The vulnerability allows a malicious application to read sensitive information.

The vulnerability exists due to a race condition. A local application can read sensitive data from Firefox directories.

2) Security restrictions bypass (CVE-ID: CVE-2021-23976)

The vulnerability allows a local application to escalate privileges on the system.

When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites.

Remediation

Install update from vendor's website.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/