Skip to main content

Firefox for iOS CVE-2026-13356

| EUVDEUVD-2026-41972 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-07-07 security@mozilla.org GHSA-66fv-p34j-fwgr
6.3
CVSS 3.1 · Vendor: mozilla
Share

Severity by source

Vendor (mozilla) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-delivered UI spoofing requiring active user navigation; no availability impact applies to address bar deception; C:L and I:L reflect phishing-grade credential and content integrity risk.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mozilla).

CVSS VectorVendor: mozilla

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jul 07, 2026 - 14:28 vuln.today
CVSS changed
Jul 07, 2026 - 14:22 NVD
6.3 (MEDIUM)
CVE Published
Jul 07, 2026 - 00:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 07, 2026 - 00:16 cve.org
MEDIUM 6.3

DescriptionCVE.org

A malicious webpage could interrupt a pending navigation by enqueuing a synchronous JavaScript dialog, causing the browser UI to display the destination origin in the address bar while continuing to render attacker-controlled content. This vulnerability was fixed in Firefox for iOS 152.3.

AnalysisAI

Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to attacker-controlled webpage
Delivery
Victim taps link initiating navigation to legitimate origin
Exploit
Malicious page enqueues synchronous JS dialog mid-navigation
Execution
Navigation interrupted; address bar displays legitimate destination origin
Persist
Attacker content continues rendering in browser viewport
Impact
Victim submits credentials to attacker-controlled phishing form

Vulnerability AssessmentAI

Exploitation The victim must be using Firefox for iOS (not Safari, Chrome, or any other iOS browser) on an Apple iOS device running a version of Firefox for iOS prior to 152.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.3 with AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L accurately captures a moderate-severity phishing primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a convincing lure page (e.g., a fake login portal or prize notification) and entices a Firefox for iOS user to visit it. When the user taps a link to navigate to their bank's real domain, the malicious page immediately triggers a JavaScript alert dialog, interrupting the navigation; the address bar flips to display the bank's legitimate URL while the attacker's phishing form continues to render in the viewport. …
Remediation Update Firefox for iOS to version 152.3 or later via the Apple App Store; this is the vendor-released patch confirmed in Mozilla Security Advisory MFSA2026-65 (https://www.mozilla.org/security/advisories/mfsa2026-65/). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2015-4495 HIGH POC
8.8 Aug 08

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote

CVE-2013-1690 HIGH POC
8.8 Jun 26

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2013-0643 HIGH
8.8 Feb 27

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b

Share

CVE-2026-13356 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy