CVE-2026-2919

< 148.2

Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigat

4.3MEDIUM

CVE-2025-10290

< 143.0

Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar co

6.5MEDIUM

CVE-2025-55033

< 142.0

Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS

6.1MEDIUM

CVE-2025-55032

< 142.0

Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline,

6.1MEDIUM

CVE-2025-55031

< 142.0

Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker with

9.8CRITICAL

CVE-2025-3859

< 138.0

Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to

6.1MEDIUM

CVE-2024-10474

< 132.0

Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentia

6.5MEDIUM

CVE-2024-8399

< 130.0

Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Focus for iO

4.7MEDIUM

CVE-2024-5022

< 126.0

The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar This vulnerabi

4.4MEDIUM

CVE-2024-26284

< 123.0

Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website, if the vic

6.1MEDIUM

CVE-2024-1563

< 122.0

An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with

8.1HIGH

CVE-2024-0606

< 122.0

An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI le

6.1MEDIUM

CVE-2024-0605

< 122.0

Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlb

7.5HIGH

CVE-2023-6870

all versions

Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firef

4.3MEDIUM

CVE-2023-29546

< 112.0

When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potential

6.5MEDIUM

CVE-2023-29534

< 112.0

Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. These could have led to pot

9.1CRITICAL

CVE-2023-25743

all versions

A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*Thi

7.5HIGH

CVE-2022-26486

< 97.3.0

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had repor

9.6CRITICAL

CVE-2022-26485

< 97.3.0

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in t

8.8HIGH