Firefox Focus
CVE-2024-0606
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.
AnalysisAI
An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122. Affected products include: Mozilla Firefox Focus.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Firefox Focus
View allAn unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. Rated c
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. Rated high severity (CVSS
Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website,
Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. Rated critical sev
An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sit
A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrom
Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in link
When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden,
Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Fo
The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar This
Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displaye
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today