CVE-2024-10004 – This vulnerability in Firefox for iOS causes th... (How to Fix)

Q: What is the severity of CVE-2024-10004?

CVE-2024-10004 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Firefox for iOS causes the browser to incorrectly display an HTTPS padlock icon when opening an external HTTP link after the app was previously closed with an HTTPS tab open. This visual misrepresentation could trick users into believing they're on a secure HTTPS site when they're actually on an insecure HTTP connection. Only Firefox for iOS users are affected.

📋 TL;DR

This vulnerability in Firefox for iOS causes the browser to incorrectly display an HTTPS padlock icon when opening an external HTTP link after the app was previously closed with an HTTPS tab open. This visual misrepresentation could trick users into believing they're on a secure HTTPS site when they're actually on an insecure HTTP connection. Only Firefox for iOS users are affected.

💻 Affected Systems

Products:

Firefox for iOS

Versions: All versions before 131.2

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Firefox iOS when specific conditions are met: app was previously closed with HTTPS tab open, then reopened via external HTTP link.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be tricked into entering sensitive information (passwords, credit card details) on HTTP sites they believe are HTTPS, leading to credential theft and man-in-the-middle attacks.

🟠

Likely Case

Users might unknowingly browse HTTP sites thinking they're secure, potentially exposing non-critical information or session data to interception.

🟢

If Mitigated

With proper user awareness and other security controls, the impact is limited to visual confusion without actual data compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking a malicious link) but no authentication or special privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 131.2

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-54/

Restart Required: Yes

Instructions:

1. Open the App Store on iOS. 2. Search for Firefox. 3. Tap Update to install version 131.2 or later. 4. Restart Firefox after update completes.

🔧 Temporary Workarounds

Avoid External Links

all

Manually type URLs instead of clicking external links when Firefox iOS was previously closed.

Clear Tabs on Close

all

Close all tabs before closing Firefox iOS to prevent the vulnerable state.

🧯 If You Can't Patch

Use alternative browsers for sensitive browsing until patched
Educate users to manually verify URLs and not rely solely on padlock icons

🔍 How to Verify

Check if Vulnerable:

Check Firefox iOS version in Settings > Firefox > About. If version is below 131.2, you are vulnerable.

Check Version:

Not applicable for iOS apps - check via App Store or app settings

Verify Fix Applied:

After updating, verify version is 131.2 or higher in Settings > Firefox > About.

📡 Detection & Monitoring

Log Indicators:

No server-side logs available for this client-side vulnerability

Network Indicators:

No network-based detection possible as this is a UI bug

SIEM Query:

Not applicable - client-side visual bug

📊 Metadata

CVE ID: CVE-2024-10004

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-1021

Published: October 15, 2024

Last Updated: April 4, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1904885 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2024-54/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10004, you might also want to check these: