The Firefox and Firefox Focus UI for the Android custom...
High severity
Unreviewed
Published
Oct 14, 2025
to the GitHub Advisory Database
•
Updated Oct 15, 2025
Description
Published by the National Vulnerability Database
Oct 14, 2025
Published to the GitHub Advisory Database
Oct 14, 2025
Last updated
Oct 15, 2025
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability affects Firefox < 144.
References