CVE-2021-23976
HIGHFirefox < 86.0 - UI Spoofing and Cross-Origin Attacks via Malicious Intent Manifest
Title source: llmDescription
When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-07/
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1684627
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202104-10
Scores
CVSS v3
8.1
EPSS
0.0110
EPSS Percentile
61.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Details
CWE
CWE-1021
Status
published
Products (1)
mozilla/firefox
< 86.0
Published
Feb 26, 2021
Tracked Since
Feb 18, 2026