Login Sign Up

CVE-2021-23976

8.1 HIGH

📋 TL;DR

This vulnerability in Firefox for Android allows malicious apps to send crafted intents that trick Firefox into loading webapp manifests from arbitrary file paths and declaring them for other origins. This enables UI spoofing through fullscreen access and potential cross-origin attacks against targeted websites. Only Firefox for Android versions before 86 are affected.

💻 Affected Systems

Products:
  • Firefox for Android
Versions: All versions before 86
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Firefox for Android. Desktop Firefox and other browsers are not vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create convincing phishing interfaces that appear as legitimate websites, potentially stealing credentials, session tokens, or sensitive data through UI spoofing and cross-origin attacks.

🟠

Likely Case

Malicious apps could display fake login screens or interfaces that mimic legitimate services to harvest user credentials or perform unauthorized actions.

🟢

If Mitigated

With proper app isolation and user awareness, impact is limited to potential phishing attempts that users might recognize as suspicious.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires a malicious app to be installed on the same Android device and send crafted intents to Firefox.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox for Android 86 and later

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-07/

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for Firefox 3. Update to version 86 or later 4. Restart Firefox after update

🔧 Temporary Workarounds

Disable app installation from unknown sources

android

Prevents installation of malicious apps that could exploit this vulnerability

Android Settings > Security > Unknown Sources > Disable

Use alternative browser temporarily

android

Switch to another browser until Firefox is updated

🧯 If You Can't Patch

  • Restrict installation of third-party apps to trusted sources only
  • Monitor for suspicious app behavior and uninstall unknown apps

🔍 How to Verify

Check if Vulnerable:

Open Firefox for Android, go to Settings > About Firefox, check if version is below 86

Check Version:

Not applicable for Android GUI

Verify Fix Applied:

Confirm Firefox version is 86 or higher in Settings > About Firefox

📡 Detection & Monitoring

Log Indicators:

  • Unusual intent handling in Android system logs
  • Firefox loading manifests from unexpected file paths

Network Indicators:

  • Unexpected cross-origin requests from Firefox to sensitive domains

SIEM Query:

Not typically applicable for mobile app vulnerabilities

📊 Metadata

CVE ID: CVE-2021-23976
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-1021
Published: February 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23976, you might also want to check these:

CVE-2021-23274 9.8

This CVE describes a clickjacking vulnerability in TIBCO API Exchange Gateway's Config UI component ...

Same vulnerability type (CWE-1021)
CVE-2021-21132 9.6

This vulnerability in Chrome DevTools allowed malicious Chrome extensions to escape the browser's se...

Same vulnerability type (CWE-1021)
CVE-2024-10004 9.1

This vulnerability in Firefox for iOS causes the browser to incorrectly display an HTTPS padlock ico...

Same vulnerability type (CWE-1021)