John-Mark Gurney

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 121 **Description** The user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. The issue is related to insufficient protection of service data and may allow a remote attacker to gain unauthorized access to limited functions. This bug only affects Firefox on Android. **Recommendations** For Firefox versions prior to 121, update to version 121 or later to resolve the issue. As a temporary workaround, consider restricting access to push requests until a patch is available. Avoid using the `VAPID` parameter in push requests until the issue is resolved.