CVE-2021-23976 in Firefox
Summary
by MITRE • 02/26/2021
When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/12/2025
This vulnerability represents a critical security flaw in Firefox for Android that stems from improper validation of web application manifests when processing intents from other installed applications. The issue occurs within the browser's intent handling mechanism where Firefox fails to properly verify the origin and authenticity of manifest files submitted through inter-application communication channels. When another application sends an intent containing a webapp manifest, Firefox accepts this manifest without sufficient validation of the file path or origin, allowing malicious applications to specify manifest content from arbitrary locations on the device's file system. This fundamental breakdown in input validation creates a dangerous attack vector that directly violates security principles of least privilege and origin isolation.
The technical implementation flaw manifests in Firefox's Android-specific codebase where the intent processing subsystem does not properly sanitize or validate the source of manifest files when they are received through the Android intent system. The vulnerability specifically affects the webapp installation and registration process where Firefox should only accept manifests from verified sources and proper origins. However, the current implementation allows any installed application to submit a manifest file from any arbitrary file path, effectively bypassing the normal security boundaries that should protect against cross-origin attacks. This flaw operates at the intersection of Android application intercommunication and web application security, creating a scenario where malicious applications can manipulate Firefox's webapp registration process to include manifests from unauthorized locations.
The operational impact of this vulnerability is severe and multifaceted, providing attackers with capabilities that could be exploited for sophisticated phishing and UI spoofing attacks. An attacker with a malicious application installed on the target device could craft a manifest file that, when processed by Firefox, would grant the application fullscreen access to the browser interface. This fullscreen access enables the creation of convincing fake web pages that can deceive users into entering sensitive information or performing actions they would not normally do. Additionally, the vulnerability opens pathways for cross-origin attacks where the malicious manifest could be used to target specific websites, potentially enabling session hijacking, credential theft, or other advanced persistent threats. The attack surface is particularly concerning because it leverages the trust relationship between applications on Android, where legitimate applications can communicate with each other through intents, but the receiving application fails to validate the integrity and origin of the data being passed.
This vulnerability aligns with several common weakness enumerations including CWE-22 Path Traversal and CWE-345 Insufficient Verification of Data Authenticity, while also mapping to ATT&CK techniques such as T1059 Command and Scripting Interpreter and T1566 Phishing through the UI spoofing capabilities. The flaw demonstrates a classic case of insufficient input validation where the application fails to properly verify the source and authenticity of data received through external channels, creating a path for privilege escalation and user deception. Organizations should prioritize immediate patching of Firefox for Android installations to version 86 or later where this vulnerability has been addressed through improved intent validation and manifest source verification. Security teams should also consider monitoring for suspicious application behavior and intent handling patterns that might indicate exploitation attempts, while implementing application whitelisting policies where appropriate to limit the potential impact of such vulnerabilities in environments where multiple applications are installed.
The remediation approach for this vulnerability requires updating Firefox to version 86 or later where the intent handling mechanism has been modified to properly validate manifest sources and prevent arbitrary file path access. The fix likely involves implementing stricter checks on the origin of manifest files received through Android intents, ensuring that only manifests from verified sources can be processed for webapp installation. Security professionals should also consider implementing network monitoring to detect unusual intent traffic patterns that might indicate exploitation attempts, while maintaining awareness of similar vulnerabilities in other browsers and mobile applications that might exhibit similar trust relationship issues with inter-application communication.