Firefox Focus
CVE-2023-25743
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*This bug only affects Firefox Focus. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8.
AnalysisAI
A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*This bug only affects Firefox Focus. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-290. A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*This bug only affects Firefox Focus. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. Affected products include: Mozilla Firefox Focus.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Firefox Focus
View allAn unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. Rated c
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. Rated high severity (CVSS
Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website,
Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. Rated critical sev
An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sit
Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in link
When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden,
An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascr
Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Fo
The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar This
Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displaye
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today