Mozilla Focus
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Focus.
Recent Mozilla Focus Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2025-76 | Security Vulnerabilities fixed in Focus for iOS 143.0 mfsa2025-76 | September 16, 2025 |
| mfsa2025-69 | Security Vulnerabilities fixed in Focus for iOS 142 mfsa2025-69 | August 19, 2025 |
| mfsa2025-33 | Security vulnerability fixed in Focus for iOS 138 mfsa2025-33 | April 21, 2025 |
| mfsa2024-60 | Security Vulnerabilities fixed in Focus for iOS 132 mfsa2024-60 | October 28, 2024 |
| mfsa2024-42 | Security Vulnerabilities fixed in Focus for iOS 130 mfsa2024-42 | September 3, 2024 |
| mfsa2024-24 | Security Vulnerabilities fixed in Focus for iOS 126 mfsa2024-24 | May 16, 2024 |
| mfsa2024-10 | Security Vulnerabilities fixed in Focus for iOS 123 mfsa2024-10 | February 19, 2024 |
| mfsa2023-44 | Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, and Firefox Focus for Android 118.1.0. mfsa2023-44 | September 28, 2023 |
| mfsa2023-13 | Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112 mfsa2023-13 | April 11, 2023 |
| mfsa2024-09 | Security Vulnerabilities fixed in Focus for iOS 122 mfsa2024-09 | February 19, 2023 |
By the Year
In 2026 there have been 0 vulnerabilities in Mozilla Focus. Last year, in 2025 Focus had 4 security vulnerabilities published. Right now, Focus is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 4 | 7.13 |
| 2024 | 0 | 0.00 |
| 2023 | 15 | 7.17 |
| 2022 | 2 | 9.20 |
It may take a day or so for new Focus vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Focus Security Vulnerabilities
Focus iOS <143: Link Handling Bug (Context Menu URL Load/Toolbar)
CVE-2025-10290
6.5 - Medium
- September 16, 2025
Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press This vulnerability affects Focus for iOS < 143.0.
User Interface (UI) Misrepresentation of Critical Information
Focus iOS <142 XSS via URL Bar Dragging JS Links
CVE-2025-55033
6.1 - Medium
- August 19, 2025
Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks This vulnerability affects Focus for iOS < 142.
XSS
Focus iOS XSS via Ignored CD-Header
CVE-2025-55032
6.1 - Medium
- August 19, 2025
Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks This vulnerability affects Focus for iOS < 142.
Open Redirect
Firefox iOS FIDO Passkey Transport Exploit <142
CVE-2025-55031
9.8 - Critical
- August 19, 2025
Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142.
Open Redirect
Firefox WebExtension jar:file URI Leak (CVE-2023-29538)
CVE-2023-29538
4.3 - Medium
- June 02, 2023
Under specific circumstances a WebExtension may have received a <code>jar:file:///</code> URI instead of a <code>moz-extension:///</code> URI during a load request. This leaked directory paths on the user's machine. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Exposure of Resource to Wrong Sphere
Firefox <112 Fullscreen Notification Spoofing via window.open
CVE-2023-29533
4.3 - Medium
- June 02, 2023
A website could have obscured the fullscreen notification by using a combination of <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
Firefox GC WeakMap Access Before Trace (v < 112, ESR < 102.10, Thunderbird < 102.10)
CVE-2023-29535
6.5 - Medium
- June 02, 2023
Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
Mozilla Firefox Memory Manager Crash Vulnerability < v112
CVE-2023-29536
8.8 - High
- June 02, 2023
An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
Dangling pointer
CVE-2023-29537: Race Conditions in Firefox Font Init Enable RCE
CVE-2023-29537
7.5 - High
- June 02, 2023
Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Race Condition
Memory Safety Bugs in Mozilla Firefox < 112 Allowing Arbitrary Execution
CVE-2023-29551
8.8 - High
- June 02, 2023
Memory safety bugs present in Firefox 111. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Memory Corruption
Firefox <112 ESR<102.10 Reflected Download via NULL Filename Truncation
CVE-2023-29539
8.8 - High
- June 02, 2023
When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
NULL Pointer Dereference
Firefox Android Redirect via sourceMappingUrls Enables External Protocol
CVE-2023-29540
6.1 - Medium
- June 02, 2023
Using a redirect embedded into <code>sourceMappingUrls</code> could allow for navigation to external protocol links in sandboxed iframes without <code>allow-top-navigation-to-custom-protocols</code>. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Open Redirect
Firefox <112 Desktop File Command Injection on Linux
CVE-2023-29541
8.8 - High
- June 02, 2023
Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
Output Sanitization
Firefox UAF in Debugger Vector (Android & Desktop)
CVE-2023-29543
8.8 - High
- June 02, 2023
An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Dangling pointer
Firefox <112 GC Memory Corruption Crash
CVE-2023-29544
6.5 - Medium
- June 02, 2023
If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Resource Exhaustion
Firefox Cookie Jar Desync via Insecure Cookie Creation (CVE-2023-29547)
CVE-2023-29547
6.5 - Medium
- June 02, 2023
When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created, when it should have silently failed. This could have led to a desynchronization in expected results when reading from the secure cookie. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Mozilla Firefox <112 Ion Compiler Wrong Optimization (CVE-2023-29548)
CVE-2023-29548
6.5 - Medium
- June 02, 2023
A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
Moz Firefox bind() realm flaw could disrupt JS SES sandbox
CVE-2023-29549
6.5 - Medium
- June 02, 2023
Under certain circumstances, a call to the <code>bind</code> function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Inadequate Encryption Strength
Firefox 111 & ESR 102.9 Memory Corruption Arbitrary Code (Pre-112)
CVE-2023-29550
8.8 - High
- June 02, 2023
Memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
Firefox <97 + ESR <91.6.1 - XSLT Param Removal UAF
CVE-2022-26485
8.8 - High
- December 22, 2022
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
Dangling pointer
Firefox <97.0.2: WebGPU IPC UAF Sandbox Escape
CVE-2022-26486
9.6 - Critical
- December 22, 2022
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
Dangling pointer
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Focus or by Mozilla? Click the Watch button to subscribe.
