Login Sign Up

CVE-2024-26282

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability in Firefox for iOS allows attackers to execute JavaScript on bookmarked AMP pages by manipulating canonical URLs. It affects Firefox for iOS users who have bookmarked AMP pages and are running vulnerable versions. The attack requires user interaction through opening a maliciously crafted bookmarked page.

💻 Affected Systems

Products:
  • Firefox for iOS
Versions: All versions before 123
Operating Systems: iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Firefox for iOS mobile browser. Requires user to have bookmarked an AMP page with malicious canonical URL manipulation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary JavaScript in the context of the bookmarked page, potentially stealing session cookies, credentials, or performing actions on behalf of the user.

🟠

Likely Case

Limited JavaScript execution on specific bookmarked AMP pages, potentially enabling session hijacking or credential theft from affected sites.

🟢

If Mitigated

With proper patching, no impact as the vulnerability is fully addressed in Firefox 123+.

🌐 Internet-Facing: MEDIUM - Requires user to bookmark and open a malicious AMP page, but exploitation is straightforward once the bookmark exists.
🏢 Internal Only: LOW - Primarily affects individual mobile users rather than internal enterprise systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening a maliciously bookmarked page) but the technical execution is straightforward once the bookmark is created.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox for iOS 123 and later

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-08/

Restart Required: Yes

Instructions:

1. Open the App Store on your iOS device. 2. Search for Firefox. 3. Tap 'Update' if available. 4. If no update shows, pull down to refresh. 5. Install Firefox 123 or later.

🔧 Temporary Workarounds

Avoid AMP page bookmarks

all

Do not bookmark AMP pages until Firefox is updated to version 123+

Use alternative browser

all

Temporarily use Safari or another browser for AMP content

🧯 If You Can't Patch

  • Avoid bookmarking AMP pages in Firefox for iOS
  • Clear all existing AMP page bookmarks from Firefox for iOS

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in iOS Settings > Firefox > About. If version is below 123, the device is vulnerable.

Check Version:

Not applicable for iOS GUI app - check in Settings > Firefox > About

Verify Fix Applied:

Confirm Firefox version is 123 or higher in iOS Settings > Firefox > About.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript execution from bookmarked AMP pages
  • Suspicious canonical URL parameters in page requests

Network Indicators:

  • Requests to AMP pages with manipulated canonical URLs from Firefox iOS user agents

SIEM Query:

Not typically applicable as this is client-side mobile browser vulnerability

📊 Metadata

CVE ID: CVE-2024-26282
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CWE: CWE-80
Published: February 22, 2024
Last Updated: March 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26282, you might also want to check these:

CVE-2023-39216 9.6

An improper input validation vulnerability in Zoom Desktop Client for Windows allows unauthenticated...

Same vulnerability type (CWE-80)
CVE-2024-52300 9.0

CVE-2024-52300 is a cross-site scripting (XSS) vulnerability in the macro-pdfviewer component for XW...

Same vulnerability type (CWE-80)
CVE-2024-41947 9.0

This XWiki vulnerability allows attackers to inject and execute JavaScript code in the context of hi...

Same vulnerability type (CWE-80)