Multiple vulnerabilities in Firefox Focus for Android
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 18 |
| CVE-ID | CVE-2023-25731 CVE-2023-25743 CVE-2023-25746 CVE-2023-25745 CVE-2023-25744 CVE-2023-25742 CVE-2023-25741 CVE-2023-25736 CVE-2023-25733 CVE-2023-25740 CVE-2023-25728 CVE-2023-25732 CVE-2023-25729 CVE-2023-25739 CVE-2023-25737 CVE-2023-25735 CVE-2023-0767 CVE-2023-25730 |
| CWE-ID | CWE-94 CWE-357 CWE-119 CWE-20 CWE-200 CWE-704 CWE-476 CWE-254 CWE-787 CWE-416 CWE-451 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Firefox Focus for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 18 vulnerabilities.
1) Prototype pollution
EUVDB-ID: #VU72259
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25731
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScrpit code on the target system.
The vulnerability exists due to URL previews in the network panel of developer tools improperly store URLs. A remote attacker can use query parameters to overwrite global objects in privileged code when rendering URLPreview and perform prototype pollution.
Install update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU72267
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25743
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to notification is not displayed when the browser is entering the fullscreen mode. A remote attacker can trick the victim to visit a malicious website and perform spoofing attack.
Install update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU72266
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25746
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing web content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU72265
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25745
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing web content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU72264
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25744
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing web content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU72263
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25742
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Web Crypto ImportKey when importing SPKI RSA public key as ECDSA P-256. A remote attacker can trick the victim to import the public key and crash the browser tab.
Install update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU72262
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25741
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to information disclosure when dragging and dropping an image cross-origin. A remote attacker can obtain the image size.
Install update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Type conversion
EUVDB-ID: #VU72261
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25736
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an invalid downcast from nsHTMLDocument to nsIContent in GetTableSelectionMode. A remote attacker can crash the browser.
Install update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) NULL pointer dereference
EUVDB-ID: #VU72260
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25733
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in TaskbarPreviewCallback when processing data returned from gfx::SourceSurfaceSkia::Map(). A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Security features bypass
EUVDB-ID: #VU72258
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25740
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when handling .scf scrips that are opened by the browser from the local filesystem. A remote attacker can trick the victim into launching a specially crafted .scf script that then initiates network requests from the operating system to the malicious server. A remote attacker can obtain potentially sensitive information including NTLM credentials.
Note, the vulnerability affects Windows installations only. MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Information disclosure
EUVDB-ID: #VU72248
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25728
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the Content-Security-Policy-Report-Only header can leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. A remote attacker can gain access to potentially sensitive information.
Install update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Out-of-bounds write
EUVDB-ID: #VU72256
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25732
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within EncodeInputStream when encoding data from an inputStream in xpcom. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU72255
Risk: Medium
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25729
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to missing permissions prompts for opening external schemes were only shown for ContentPrincipals. A malicious extension can open external schemes without user interaction via ExpandedPrincipals and perform other potentially dangerous actions, such as downloading files or interacting with software already installed on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Use-after-free
EUVDB-ID: #VU72254
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25739
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in mozilla::dom::ScriptLoadContext::~ScriptLoadContext(). Module load requests that failed were not being checked as to whether or not they were cancelled in ScriptLoadContext. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Type conversion
EUVDB-ID: #VU72252
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25737
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an invalid downcast from nsTextNode to SVGElement in SVGUtils::SetupStrokeGeometry(). A remote attacker can trigger type conversion error and potentially execute arbitrary code.
Install update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Use-after-free
EUVDB-ID: #VU72251
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25735
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in SpiderMonkey when in the way cross-compartment wrappers wrapping a scripted proxy. A remote attacker can execute arbitrary code on the target system.
Install update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Out-of-bounds write
EUVDB-ID: #VU72250
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-0767
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing PKCS 12 Safe Bag attributes. A remote attacker can create a specially crafted PKCS 12 cert bundle, trick the victim into loading it, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Spoofing attack
EUVDB-ID: #VU72249
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25730
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the possibility of screen hijacking. A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsFirefox Focus for Android: 108.2.0 - 109.2.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
