Mozilla Foundation Security Advisory 2016-05

Addressbar spoofing through stored data url shortcuts on Firefox for Android

Announced

January 26, 2016

Reporter

Muneaki Nishimura

Impact

Moderate

Products

Firefox

Fixed in

Firefox 44

Description

Security researcher Muneaki Nishimura reported an issue with displayed URLs and bookmarks on Firefox for Android. If a data: URL is opened from a stored shortcut on the homescreen or from a BOOKMARK intent from another installed Android application, the addressbar continues to show the data: url even if the content redirects to another page, hiding the true origin of the content. This was due to an error in how hosts were handled with data: URLs.

This issue only affects Firefox for Android. Firefox on other operating systems is not affected.

References

Address bar spoofing with a BOOKMARK shortcut of data: URL (CVE-2016-1940)

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising