Endpoint Vulnerability

Android intents can be used on Firefox for Android to open privileged files

Description

Security researcher Muneaki Nishimura reported that on Firefox for Android, a search engine can be registered and used to launch Firefox through an Android intent. When Firefox for Android is launched, the URL can executed with Firefox's system privileges if the crash reporter is used. This allows for the reading of local log files within Firefox, potentially leaking private information, and the loading of local HTML files through file: URIs.

Affected Products

Firefox

References

CVE-2015-7190,