Pedro Oliveira

**Name of the Vulnerable Software and Affected Versions** Firefox for Android versions prior to 84 **Description** The issue is related to insufficient access control in Firefox for Android, allowing a remote attacker to bypass existing security restrictions. When a malicious application installed on the user's device broadcasts an Intent to Firefox for Android, arbitrary headers could be specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. **Recommendations** For Firefox for Android versions prior to 84, update to version 84 or later to resolve the issue. As a temporary workaround, consider restricting the use of Intent broadcasts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox for Android versions prior to the fixed version **Description** A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins. This issue can be exploited by visiting a malicious website, potentially allowing the theft of cookies. **Recommendations** For Firefox for Android versions prior to the fixed version, update to the latest version to resolve the issue. As a temporary workaround, consider restricting access to sensitive websites until the update is applied. Avoid using Firefox for Android to access sensitive information until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 68.11 **Description** The issue is related to a lack of restrictions on file uploads in Firefox ESR for Android, allowing an attacker to steal and upload local files of their choice. This could impact the confidentiality of protected information. The vulnerability can be exploited when a malicious file picker application is installed. **Recommendations** For Firefox ESR versions prior to 68.11, update to version 68.11 or later to resolve the issue. As a temporary workaround, consider restricting the use of file picker applications in Firefox for Android until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 68.11 **Description** The issue is related to insecure privilege management in Firefox ESR for Android, allowing an attacker to overwrite local files, including Firefox settings, if a malicious file picker application is installed. This does not allow access to the previous profile. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Firefox ESR versions prior to 68.11, update to version 68.11 or later to resolve the issue. As a temporary workaround, consider restricting the use of file picker applications to minimize the risk of exploitation.