Main Vulnerability Database Vulnerabilities #VU48475

Spoofing attack in Firefox for Android - CVE-2020-26954

Published: November 17, 2020

Vulnerability identifier: #VU48475

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-26954

CWE-ID: CWE-451

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Mozilla

Affected software:
Firefox for Android

Detailed vulnerability description

The vulnerability allows a local application to perform spoofing attack.

The vulnerability exists due to incorrect processing of web manifests. When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites.

How to mitigate CVE-2020-26954

Install updates from vendor's website.

Sources

https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/

Spoofing attack in Firefox for Android - CVE-2020-26954

Detailed vulnerability description

How to mitigate CVE-2020-26954

Sources

Please verify you're human