A critical vulnerability has been identified in the Mozilla Firefox browser for Android devices. This flaw allows a malicious website to bypass a security restriction and initiate a file download onto a user's device without their consent. Successful exploitation could lead to a user unknowingly downloading malware, ransomware, or other malicious files, potentially resulting in device compromise or data theft.

The vulnerability exists in how Firefox for Android handles sandboxed iframe elements. The HTML iframe sandbox attribute is a security feature that restricts the capabilities of embedded content. The allow-downloads flag, when omitted, is intended to prevent the embedded content from initiating file downloads. However, vulnerable versions of Firefox for Android fail to enforce this restriction, allowing a sandboxed iframe to trigger a download even when it is not explicitly permitted. An attacker can exploit this by hosting a malicious webpage that embeds such an iframe, leading to a "drive-by download" attack when a user visits the page.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to significant business impact, including the introduction of malware or ransomware onto corporate or personal devices used for work (BYOD). A successful attack could result in a full system compromise, leading to data breaches, theft of sensitive corporate information, financial loss, and reputational damage. A compromised mobile device could also serve as a pivot point for an attacker to gain access to the broader corporate network.

Immediate Action: Update all instances of Firefox for Android to version 141 or the latest available version immediately. This action directly patches the vulnerability and removes the risk. Following the update, monitor for any signs of exploitation that may have occurred prior to patching by reviewing device logs and network traffic for suspicious download activity.

Proactive Monitoring: Implement monitoring on endpoint security solutions (MDM/EDR) for unusual file downloads originating from the Firefox for Android browser, particularly files with executable or script extensions (e.g., .apk). Network monitoring should be configured to flag and alert on downloads from untrusted or newly registered domains accessed by mobile devices.

Compensating Controls: If immediate patching is not feasible, consider implementing compensating controls. Use web filtering solutions to block access to known malicious and untrusted websites. Enforce mobile device management (MDM) policies that restrict users from installing applications from unknown sources, which would prevent a downloaded malicious app from being installed. Educate users on the risks of opening or running files downloaded unexpectedly from the internet.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability poses a severe risk to the organization. We strongly recommend that all vulnerable instances of Firefox for Android are updated to a patched version with the highest priority. Although this CVE is not currently listed on the CISA KEV catalog, its potential for enabling drive-by malware attacks warrants immediate attention and remediation to prevent device compromise and potential network intrusion.