CVE-2024-0605
HIGHFirefox Focus < 122.0 - Unauthenticated Race Condition via javascript: URI setTimeout
Title source: llmDescription
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.
References (2)
Core 2
Core References
Issue Tracking, Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1855575
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-03/
Scores
CVSS v3
7.5
EPSS
0.0004
EPSS Percentile
10.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-362
Status
published
Products (1)
mozilla/firefox_focus
< 122.0
Published
Jan 22, 2024
Tracked Since
Feb 18, 2026