CVE-2024-31392 – This vulnerability in Firefox for iOS causes th... (How to Fix)

Q: What is the severity of CVE-2024-31392?

CVE-2024-31392 has a CVSS score of 7.5 (HIGH). This vulnerability in Firefox for iOS causes the browser to incorrectly display a secure lock icon when insecure content loads on a page after a delay, creating a false sense of security. It affects Firefox for iOS users running versions below 124. Attackers could exploit this to make users believe they're on a secure site when mixed content is present.

📋 TL;DR

This vulnerability in Firefox for iOS causes the browser to incorrectly display a secure lock icon when insecure content loads on a page after a delay, creating a false sense of security. It affects Firefox for iOS users running versions below 124. Attackers could exploit this to make users believe they're on a secure site when mixed content is present.

💻 Affected Systems

Products:

Firefox for iOS

Versions: All versions below 124

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Firefox for iOS; desktop Firefox and other browsers are not affected.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be tricked into entering sensitive information on pages that appear secure but contain insecure elements, leading to credential theft or session hijacking.

🟠

Likely Case

Users might not notice mixed content warnings, potentially exposing them to man-in-the-middle attacks or content manipulation on seemingly secure sites.

🟢

If Mitigated

With proper user awareness and updated browsers, the risk is limited to visual deception without direct code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (visiting a malicious site) but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox for iOS 124

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-17/

Restart Required: Yes

Instructions:

1. Open the App Store on iOS. 2. Search for Firefox. 3. Tap 'Update' if available. 4. Restart Firefox after update completes.

🔧 Temporary Workarounds

Use alternative browser

ios

Temporarily use Safari or another updated browser until Firefox is patched.

Enable strict HTTPS enforcement

ios

Use browser settings to enforce HTTPS-only mode where available.

🧯 If You Can't Patch

Educate users to manually check URLs and look for mixed content warnings
Implement network filtering to block known malicious sites

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in Settings > About Firefox. If version is below 124, you are vulnerable.

Check Version:

Open Firefox > Settings > About Firefox

Verify Fix Applied:

After updating, verify version is 124 or higher in Settings > About Firefox.

📡 Detection & Monitoring

Log Indicators:

Unusual mixed content loading patterns
User reports of incorrect security icons

Network Indicators:

HTTP content loading on HTTPS pages
Mixed content warnings in browser logs

SIEM Query:

Not applicable for client-side browser vulnerability

📊 Metadata

CVE ID: CVE-2024-31392

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published: April 3, 2024

Last Updated: April 9, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1875925 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-17/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1875925 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-17/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON