CVE-2021-29971 – This vulnerability in Firefox for Android allow... (How to Fix)

Q: What is the severity of CVE-2021-29971?

CVE-2021-29971 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Firefox for Android allows any webpage running on the same host (regardless of scheme or port) to inherit permissions previously granted to another webpage from that host. Only Firefox for Android users running versions below 90 are affected.

📋 TL;DR

This vulnerability in Firefox for Android allows any webpage running on the same host (regardless of scheme or port) to inherit permissions previously granted to another webpage from that host. Only Firefox for Android users running versions below 90 are affected.

💻 Affected Systems

Products:

Firefox for Android

Versions: Versions below 90

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Firefox for Android; desktop Firefox and other browsers are not vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could trick a user into granting permissions (like camera, microphone, location) on a benign page, then use a malicious page on the same host to access those permissions without user consent, leading to privacy violations or data theft.

🟠

Likely Case

Malicious websites could abuse permissions like location access or camera/microphone to spy on users without their knowledge after initial permission grant.

🟢

If Mitigated

With proper controls like updated browsers and careful permission management, impact is minimal as the vulnerability is patched and users can control permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to grant initial permissions, but subsequent abuse is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox for Android 90 and later

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-28/

Restart Required: Yes

Instructions:

1. Open Google Play Store on Android. 2. Search for Firefox. 3. If an update is available, tap Update. 4. Restart Firefox after update completes.

🔧 Temporary Workarounds

Disable Permissions for All Sites

android

Revoke all granted permissions in Firefox settings to prevent exploitation.

Open Firefox for Android > Settings > Site Permissions > Review and revoke permissions for all sites

Use Alternative Browser

android

Temporarily switch to a non-vulnerable browser until Firefox is updated.

🧯 If You Can't Patch

Avoid granting permissions to websites in Firefox for Android.
Use Firefox in private browsing mode to limit permission persistence.

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in app settings; if below 90, it is vulnerable.

Check Version:

Open Firefox for Android > Settings > About Firefox

Verify Fix Applied:

Confirm Firefox version is 90 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual permission grants or accesses in browser logs, but limited logging in mobile browsers.

Network Indicators:

Suspicious requests from same host with different schemes/ports accessing sensitive resources.

SIEM Query:

Not typically applicable for mobile browser vulnerabilities on personal devices.

📊 Metadata

CVE ID: CVE-2021-29971

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-281

Published: August 5, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1713638 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2021-28/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1713638 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2021-28/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29971, you might also want to check these: