Mozilla Firefox for Android < 42.0 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9019
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox for Android earlier than 42.0 are affected by multiple vulnerabilities. These include :

- A flaw exists in 'mobile/android/chrome/content/browser.js' that is triggered when the device exits fullscreen mode. This allows a context-dependent attacker to spoof the address bar. (CVE-2015-7185)
- A flaw exists in 'mobile/android/components/HelperAppDialog.js' that is triggered when handling the 'file://' URI scheme. This may allow a context-dependent attacker to download arbitrary files or open cached profile data without the user knowing. (CVE-2015-7186)
- A flaw exists in 'mobile/android/search/java/org/mozilla/search/PostSearchFragment.java' related to the crash reporter. The issue is triggered when a registered search engine uses an Android intent to launch the program. This may allow a malicious app to gain access to local log files that may contain sensitive information or local HTML files through file: URIs. (CVE-2015-7190)
- A flaw exists in the 'IntentHelper::openNoHandler()' function in 'mobile/android/base/IntentHelper.java.' The issue is triggered when handling 'intent://' URLs during Fallback navigation. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server (i.e. conduct UXSS attacks). (CVE-2015-7191)

Solution

Upgrade to Mozilla Firefox 42.0 or later from the Google Play app store.

See Also

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox42

https://www.mozilla.org/en-US/security/advisories/mfsa2015-119

https://www.mozilla.org/en-US/security/advisories/mfsa2015-120

https://www.mozilla.org/en-US/security/advisories/mfsa2015-124

https://www.mozilla.org/en-US/security/advisories/mfsa2015-125

https://bugzilla.mozilla.org/show_bug.cgi?id=1149000

https://bugzilla.mozilla.org/show_bug.cgi?id=1193027

https://bugzilla.mozilla.org/show_bug.cgi?id=1208520

https://bugzilla.mozilla.org/show_bug.cgi?id=1208956

Plugin Details

Severity: Medium

ID: 9019

Published: 12/7/2015

Updated: 3/6/2019

Dependencies: 6534

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:mozilla:firefox_mobile:*:*:*:*:*:*:*:*

Patch Publication Date: 11/3/2015

Vulnerability Publication Date: 9/2/2015

Reference Information

CVE: CVE-2015-7186, CVE-2015-7185, CVE-2015-7191, CVE-2015-7190

BID: 77412