A vulnerability classified as critical has been found in Mozilla Firefox ESR up to 68.6 on Android (Web Browser). Affected is an unknown code of the component intent:/-schemed Handler. The manipulation with an unknown input leads to a ui layer vulnerability (Address). CWE is classifying the issue as CWE-1021. The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI. <br> *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.7.

The weakness was presented 04/24/2020. This vulnerability is traded as CVE-2020-6827 since 01/10/2020. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 04/25/2020).

Upgrading to version 68.7 eliminates this vulnerability.

See VDB-154369 for similar entry. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Web Browser

Vendor

• Mozilla

Name

• Firefox ESR

Version

• 68.0
• 68.1
• 68.2
• 68.3
• 68.4
• 68.5
• 68.6

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion