Mozilla Foundation Security Advisory 2016-05

Addressbar spoofing through stored data url shortcuts on Firefox for Android

Announced

January 26, 2016

Reporter

Muneaki Nishimura

Impact

Moderate

Products

Firefox

Fixed in

Firefox 44

Description

Security researcher Muneaki Nishimura reported an issue with displayed URLs and bookmarks on Firefox for Android. If a data: URL is opened from a stored shortcut on the homescreen or from a BOOKMARK intent from another installed Android application, the addressbar continues to show the data: url even if the content redirects to another page, hiding the true origin of the content. This was due to an error in how hosts were handled with data: URLs.

This issue only affects Firefox for Android. Firefox on other operating systems is not affected.

References

Address bar spoofing with a BOOKMARK shortcut of data: URL (CVE-2016-1940)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-05

Addressbar spoofing through stored data url shortcuts on Firefox for Android

Description

References