SB2024022307 - Multiple vulnerabilities in Mozilla Firefox for iOS

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Spoofing attack (CVE-ID: CVE-2024-26283)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data when clicking on a link with custom URL scheme. A remote attacker can spoof the address bar of the browser window.

2) Universal cross-site scripting (CVE-ID: CVE-2024-26282)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when handling AMP URL with a canonical element. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Code Injection (CVE-ID: CVE-2024-26281)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code in the browser.

The vulnerability exists due to improper input validation within the QR code scanner. A remote attacker can trick the victim to scan a specially crafted QR code and execute arbitrary JavaScript code on the current top origin sites in the URL bar.

Remediation

Install update from vendor's website.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1850158
• https://www.mozilla.org/security/advisories/mfsa2024-08/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1863788
• https://bugzilla.mozilla.org/show_bug.cgi?id=1868005