A critical vulnerability has been identified in the QR scanner component of Firefox for iOS. An attacker can craft a malicious QR code that, when scanned by a user, automatically opens an arbitrary and potentially malicious website without proper user validation. Successful exploitation could lead to sophisticated phishing attacks, credential theft, or malware distribution, posing a significant risk to user data and corporate security.

This vulnerability exists within the QR scanner functionality of Firefox for iOS due to improper handling of a specific "open-text URL scheme." An attacker can embed a specially crafted URL within a QR code. When a victim scans this malicious QR code, the vulnerable application fails to correctly parse or sanitize the URL, causing it to bypass security warnings and automatically navigate the browser to a destination controlled by the attacker. The exploit relies on social engineering to persuade a user to scan the QR code.

This vulnerability is rated as critical severity with a CVSS score of 9.1, reflecting the potential for significant damage with minimal user interaction post-scan. Exploitation can directly lead to targeted phishing campaigns against employees, resulting in the theft of corporate credentials, financial information, or other sensitive data. Further risks include the distribution of malware or spyware to mobile devices, potentially leading to a wider network compromise, data breaches, and reputational damage for the organization.

Immediate Action: Update The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.

Proactive Monitoring: Security teams should monitor for signs of exploitation, including unusual outbound traffic from mobile devices to uncategorized or known malicious domains. Review logs from Mobile Device Management (MDM) and web filtering solutions for suspicious URL access patterns originating from Firefox for iOS. Monitor for an increase in user-reported phishing attempts.

Compensating Controls: If immediate patching is not feasible, implement user awareness training focused on the dangers of scanning QR codes from untrusted or unknown sources. Employ network-level security controls, such as DNS filtering and secure web gateways, to block access to malicious websites as a secondary line of defense.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the direct risk of phishing and data compromise, we strongly recommend that organizations prioritize the immediate patching of this vulnerability. All instances of Firefox for iOS on corporate and BYOD devices should be updated to the latest version as soon as possible. Additionally, organizations should issue a security bulletin to all users, advising them to update their application and exercise extreme caution when scanning QR codes.