SB2025072255 - Multiple vulnerabilities in Firefox for iOS

Description

This security bulletin contains information about 3 vulnerabilities.

1) Protection Mechanism Failure (CVE-ID: CVE-2025-54143)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page

2) Spoofing attack (CVE-ID: CVE-2025-54144)

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link.

3) Spoofing attack (CVE-ID: CVE-2025-54145)

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme.

Remediation

Install update from vendor's website.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-60/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1946062
• https://bugzilla.mozilla.org/show_bug.cgi?id=1946122