Endpoint Vulnerability

Addressbar spoofing through stored data url shortcuts on Firefox for Android

Description

Security researcher Muneaki Nishimura reported an issue with displayed URLs and bookmarks on Firefox for Android. If a data: URL is opened from a stored shortcut on the homescreen or from a BOOKMARK intent from another installed Android application, the addressbar continues to show the data: url even if the content redirects to another page, hiding the true origin of the content. This was due to an error in how hosts were handled with data: URLs.

Affected Products

Firefox

References

CVE-2016-1940,