CVE-2015-2745

Name of the Vulnerable Software and Affected Versions Mozilla Firefox OS versions prior to 2.2

Description The issue allows remote attackers to inject arbitrary HTML via the name or title field in card content associated with a search link that is mishandled after a HOME button press or a Show Windows action. This can be demonstrated by embedding an arbitrary application or spoofing the account-creation page. The vulnerability exists due to the lack of protection of the web page structure in the Gaia Search app component of the Firefox OS.

Recommendations For versions prior to 2.2, update to version 2.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Search app in Gaia until a patch is available. Avoid using the name and title fields in the search link card content to minimize the risk of exploitation.