Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.
The sandbox mechanism for HTML iframe elements provides an `allow-downloads` attribute, which must be explicitly granted for a frame to initiate file downloads. In Firefox for Android, the control of this permission was implemented incorrectly (CWE-732 — Incorrect Permission Assignment for Resource), as a result a sandboxed iframe without the `allow-downloads` attribute could still initiate file downloads. An attacker could place a malicious iframe on a controlled website and initiate downloads without the user's knowledge or consent.
An attacker can initiate the download of arbitrary files on a user's device without required permissions, which may lead to the delivery of malicious software or unauthorized file writes on an Android device.
Firefox for Android should be updated to version 141 or later, in which the vulnerability has been fixed. The update is available through the Google Play Store.
Mozilla Firefox for Android in versions prior to Firefox 141 (on Google Android devices)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoogle Android
OSGooglewszystkie wersjeMozilla Firefox
APPMozilla< 141.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who ha...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...