Mozilla Firefox Focus URL Elision Vulnerability Allows Address Bar Spoofing

A spoofing vulnerability has been identified in Mozilla Firefox Focus for iOS, affecting versions prior to 138. This issue arises from the browser's handling of long URLs, which can be truncated in a way that misleads users about their actual location on the web. By exploiting this URL elision, websites can create the illusion that a user is on a different page, potentially leading to confusion or phishing attempts.

Impact

Exploitation of this vulnerability could trick users into believing they are on a different webpage, creating a risk of phishing or other deceptive practices.

Reproduction

To reproduce this vulnerability, open a long URL that exceeds the address bar's display capacity in Firefox Focus for iOS. The browser will truncate the URL, creating an opportunity for spoofing. This issue does not occur in the Android version of Firefox Focus, which shares code with Firefox but handles URLs differently.

Remediation

Users can update to Firefox Focus version 138 or later to address this vulnerability.