Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4.
A malicious script can trigger a desynchronization state between the browser's address bar and the loaded web content at the moment when the server response has not yet been received. This allows the attacker to display their own controlled page while showing a trusted, fake domain in the address bar. This mechanism falls into the CWE-451 category, which involves errors that mislead the user about the source of presented information.
An attacker can effectively impersonate trusted web services (e.g., banks, login portals), phishing authentication credentials or other sensitive information from users who are unable to distinguish a fake page from a real one based on the address bar.
Firefox for iOS should be updated to version 147.4 or later, in which the vulnerability has been fixed. The update is available through the Apple App Store.
Mozilla Firefox for iOS in versions prior to 147.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 147.4
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...