CRITICAL🇵🇱 Wersja polska

CVE-2025-8042

CVSS 9.8v3.1pub. 2025-08-19upd. 2026-04-13

Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.

🤖 AI Analysis
How it works

The sandbox mechanism for HTML iframe elements provides an `allow-downloads` attribute, which must be explicitly granted for a frame to initiate file downloads. In Firefox for Android, the control of this permission was implemented incorrectly (CWE-732 — Incorrect Permission Assignment for Resource), as a result a sandboxed iframe without the `allow-downloads` attribute could still initiate file downloads. An attacker could place a malicious iframe on a controlled website and initiate downloads without the user's knowledge or consent.

Impact

An attacker can initiate the download of arbitrary files on a user's device without required permissions, which may lead to the delivery of malicious software or unauthorized file writes on an Android device.

Mitigation & patch

Firefox for Android should be updated to version 141 or later, in which the vulnerability has been fixed. The update is available through the Google Play Store.

Who is affected

Mozilla Firefox for Android in versions prior to Firefox 141 (on Google Android devices)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Google Android

    OS
    Google
    wszystkie wersje
  • Mozilla Firefox

    APP
    Mozilla
    < 141.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2020-16010CRITICAL9.6⚠ KEVten sam produkt

Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who ha...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2016-1019CRITICAL9.8⚠ KEVten sam produkt

Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...