{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-23108", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-01-10T21:00:17.659Z", "datePublished": "2025-01-11T03:36:53.989Z", "dateUpdated": "2026-04-13T14:29:24.969Z"}, "containers": {"cna": {"affected": [{"product": "Firefox for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "134", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134."}]}], "title": "Firefox Mobile iOS Full Address Bar Spoof Using Open in New Tab and Javascript URI", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1933172"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-06/"}], "credits": [{"lang": "en", "value": "Renwa"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:24.969Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-13T17:44:14.905100Z", "id": "CVE-2025-23108", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-13T17:46:18.921Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-23108", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-13T17:44:14.905100Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-13T17:46:08.182Z"}}], "cna": {"title": "Firefox Mobile iOS Full Address Bar Spoof Using Open in New Tab and Javascript URI", "credits": [{"lang": "en", "value": "Renwa"}], "affected": [{"vendor": "Mozilla", "product": "Firefox for iOS", "versions": [{"status": "unaffected", "version": "134", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1933172"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-06/"}], "descriptions": [{"lang": "en", "value": "Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134.", "supportingMedia": [{"type": "text/html", "value": "Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:24.969Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23108", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:29:24.969Z", "dateReserved": "2025-01-10T21:00:17.659Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-01-11T03:36:53.989Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "287CBA5C-D765-4028-A3EE-44AE2589E99E", "versionEndExcluding": "134.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134."}, {"lang": "es", "value": "Abrir enlaces de Javascript en una nueva pesta\u00f1a manteniendo pulsada la tecla en el cliente iOS de Firefox podr\u00eda provocar que un script malicioso falsifique la URL de la nueva pesta\u00f1a. Esta vulnerabilidad afecta a Firefox para iOS < 134."}], "id": "CVE-2025-23108", "lastModified": "2026-04-13T15:16:54.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-11T04:15:06.280", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1933172"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-06/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:55:06.258841+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox for iOS to version\u00a0134 or later, which includes the fix that prevents JavaScript URLs from spoofing the address bar.", "In the intervening period, disable JavaScript in the browser\u2019s settings or use a content\u2011blocking feature to block execution of JavaScript links until the update can be applied.", "Refrain from long\u2011pressing JavaScript URLs; instead, tap them normally or validate the destination URL before interacting with it."], "summary": {"action": "Update Browser", "impact": "URL spoofing via JavaScript links"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox for iOS before version\u00a0134 is affected. The issue was fixed in Firefox iOS\u00a0134 and later releases, so any device running older builds of the mobile browser is vulnerable.", "description_and_impact": "Opening JavaScript links in a new tab by long\u2011pressing a link in Firefox for iOS lets a web page cause the browser to display a falsified address bar for the new tab. The displayed URL can be different from the actual script location, enabling a malicious site to trick users into believing they are viewing a legitimate page while executing harmful code. The weakness is a web\u2011UI input flaw (CWE\u201179).", "risk_and_exploitability": "The vulnerability\u2019s CVSS score of\u00a04.3 indicates moderate impact, and the EPSS score of less than\u00a01% suggests very low current exploitation probability. It is not listed in CISA\u2019s KEV. The likely attack vector is a user interacting with a malicious link; the attacker needs only to host a JavaScript URL and ensure the victim long\u2011presses it in Firefox iOS, so the risk is limited to users who employ this interaction pattern."}}}}, "created": "2026-04-21T00:00:13.391427+00:00", "updated": "2026-04-21T00:00:13.391447+00:00", "vendors": []}