CVE-2024-4766 – This vulnerability allows attackers to hide the... (How to Fix)

Q: How do I fix CVE-2024-4766?

1. Open Google Play Store. 2. Search for Firefox. 3. Tap Update. 4. Restart Firefox after update completes.

Q: What is the severity of CVE-2024-4766?

CVE-2024-4766 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to hide the fullscreen notification in Firefox for Android, potentially tricking users into interacting with spoofed content. Only Firefox for Android versions before 126 are affected; desktop Firefox and other browsers are not vulnerable.

📋 TL;DR

This vulnerability allows attackers to hide the fullscreen notification in Firefox for Android, potentially tricking users into interacting with spoofed content. Only Firefox for Android versions before 126 are affected; desktop Firefox and other browsers are not vulnerable.

💻 Affected Systems

Products:

Firefox for Android

Versions: All versions < 126

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Firefox for Android; Firefox for desktop, iOS, and other browsers are unaffected.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create convincing phishing pages that appear as legitimate fullscreen applications, leading to credential theft or malware installation.

🟠

Likely Case

Users might be tricked into clicking malicious links or providing sensitive information on spoofed websites.

🟢

If Mitigated

With updated browsers, users see proper fullscreen notifications and can identify suspicious behavior.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (visiting a malicious website) but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox for Android 126

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-21/

Restart Required: Yes

Instructions:

1. Open Google Play Store. 2. Search for Firefox. 3. Tap Update. 4. Restart Firefox after update completes.

🔧 Temporary Workarounds

Disable JavaScript

android

Prevents malicious scripts from hiding fullscreen notifications

about:config → javascript.enabled → false

Use Desktop Mode

android

Forces websites to load in desktop view which may bypass fullscreen tricks

Menu → Request Desktop Site

🧯 If You Can't Patch

Use alternative mobile browsers like Chrome or Safari temporarily
Avoid visiting untrusted websites on Firefox for Android

🔍 How to Verify

Check if Vulnerable:

Open Firefox for Android → Menu → Settings → About Firefox → Check version number

Check Version:

about:

Verify Fix Applied:

Confirm version is 126 or higher in About Firefox settings

📡 Detection & Monitoring

Log Indicators:

Unusual fullscreen permission requests in browser logs
Multiple rapid fullscreen toggle events

Network Indicators:

HTTP requests to domains with suspicious fullscreen JavaScript patterns

SIEM Query:

source="firefox_android" AND (event="fullscreen" OR event="permission_request") AND count > threshold

📊 Metadata

CVE ID: CVE-2024-4766

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Published: May 14, 2024

Last Updated: April 4, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1871214 Issue Tracking
https://bugzilla.mozilla.org/show_bug.cgi?id=1871217 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-21/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1871214 Issue Tracking
https://bugzilla.mozilla.org/show_bug.cgi?id=1871217 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-21/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON