Closed Bug 1886469 Opened 2 years ago Closed 1 year ago

Firefox for Android with the Open Link in Apps feature enabled can lead to spoofing of the address bar.

Categories

(Firefox for Android :: Browser Engine, defect)

Product:
Firefox for Android
Component:
Browser Engine
Version:
Firefox 125
Platform:
All
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 + fixed

People

(Reporter: Laraweron, Unassigned)

References

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main130-])

Attachments

(3 files)

video_2024-03-20_19-57-44.mp4
1.07 MB, video/mp4
Details
geo.html
230 bytes, text/html
Details
mail.html
325 bytes, text/html
Details

By default, this feature is disabled for the user, however, if the slider is set to Always mode, it is possible to overlay the notification about entering full screen mode.
This is taken from Bug 1822305.

<input onclick = 'location.href="tel:1"; document.documentElement.requestFullscreen()'></input>

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
OS: Unspecified → Android
Product: Firefox → Focus
Hardware: Unspecified → All
Version: unspecified → Firefox 125
Product: Focus → Fenix

We might have this on file already, but in the mean time marking it sec-moderate since it's not the default. I believe this particular panel comes up only if the user has multiple apps to handle the protocol and has not chosen a default. Most users find that annoying and will have chosen a default or never installed alternate dialers in the first place.

Keywords: sec-moderate
Severity: -- → S3
Status: UNCONFIRMED → NEW
Component: General → Browser Engine
Ever confirmed: true
Attached file geo.html
Attached file mail.html

I also added an example of geo.html, it may be more suitable as an example.
The other file is not related to mail.html security, but it has strange behavior with the address bar and should be moved to the section of closed bugs.

The new patch for Nightly v130.0a1 seems to fix this bug.

Could you take a look?

Flags: needinfo?(polly)

thanks for the shout Raphael!
You are right - i have retested this issue on nightly 130.0a1, and the fullscreen notification toast now appears above the Open With... dialog.
So marking this as fixed. Appreciate the heads up! :)

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(polly)
Resolution: --- → FIXED
Depends on: CVE-2024-8388
Group: mobile-core-security → core-security-release
status-firefox128: --- → wontfix
status-firefox129: --- → wontfix
status-firefox130: --- → fixed
tracking-firefox130: --- → +
Flags: sec-bounty? → sec-bounty+

This bug will be referenced in the advisory for the fix (bug 1902996)

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [client-bounty-form][adv-main130-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: