CVE-2023-49060 – This vulnerability in Firefox for iOS allows at... (How to Fix)

Q: How do I fix CVE-2023-49060?

1. Open the App Store on your iOS device. 2. Search for Firefox. 3. Tap Update to install version 120 or later. 4. Restart the Firefox app after updating.

Q: What is the severity of CVE-2023-49060?

CVE-2023-49060 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Firefox for iOS allows attackers to exfiltrate security keys from ReaderMode via the referrerpolicy attribute, potentially accessing internal pages or data. It affects Firefox for iOS versions below 120. Users running vulnerable versions on iOS devices are at risk.

📋 TL;DR

This vulnerability in Firefox for iOS allows attackers to exfiltrate security keys from ReaderMode via the referrerpolicy attribute, potentially accessing internal pages or data. It affects Firefox for iOS versions below 120. Users running vulnerable versions on iOS devices are at risk.

💻 Affected Systems

Products:

Firefox for iOS

Versions: All versions < 120

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Firefox for iOS; desktop Firefox and other browsers are not vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal pages, user data, or authentication tokens, leading to account compromise or data theft.

🟠

Likely Case

Targeted attacks could steal browsing session data or access restricted pages the user has permissions to view.

🟢

If Mitigated

With proper patching, no exploitation is possible; without patching, network controls could limit data exfiltration.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (e.g., visiting a malicious site) but is straightforward once triggered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 120

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2023-51/

Restart Required: Yes

Instructions:

1. Open the App Store on your iOS device. 2. Search for Firefox. 3. Tap Update to install version 120 or later. 4. Restart the Firefox app after updating.

🔧 Temporary Workarounds

Disable ReaderMode

all

Prevents exploitation by disabling the vulnerable ReaderMode feature.

Not applicable; disable via Firefox iOS settings: Settings > Reader Mode > toggle off

🧯 If You Can't Patch

Restrict network access to limit data exfiltration via firewalls or proxy controls.
Monitor for unusual referrer policy usage in web traffic logs.

🔍 How to Verify

Check if Vulnerable:

Open Firefox for iOS, go to Settings > About Firefox, and check if version is below 120.

Check Version:

Not applicable; check manually in app settings as above.

Verify Fix Applied:

Confirm Firefox for iOS version is 120 or higher in Settings > About Firefox.

📡 Detection & Monitoring

Log Indicators:

Unusual referrerpolicy attribute usage in web server logs, especially from iOS devices.

Network Indicators:

Suspicious outbound traffic patterns from Firefox iOS app indicating data exfiltration.

SIEM Query:

Not provided; focus on patching as primary defense.

📊 Metadata

CVE ID: CVE-2023-49060

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: November 21, 2023

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1861405 Issue Tracking,Not Applicable
https://www.mozilla.org/security/advisories/mfsa2023-51/ Release Notes,Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1861405 Issue Tracking,Not Applicable
https://www.mozilla.org/security/advisories/mfsa2023-51/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON