Description
Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press. This vulnerability was fixed in Focus for iOS 143.0.
Published: 2025-09-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Spoofed website display
Action: Apply patch
AI Analysis

Impact

Opening links via the contextual menu in Focus for iOS fails to refresh the toolbar when certain URL schemes are used, letting the application display an incorrect or misleading title. This UI flaw enables attackers to spoof the appearance of a website if a user is coerced into opening a tapped link, potentially tricking them into providing information or believing they are on a trusted site. The root weakness aligns with CWE-451, Information Exposure by Design.

Affected Systems

The vulnerability affects Mozilla Focus for iOS versions prior to 143.0. The fix was applied in Focus for iOS 143.0 and later releases, therefore only installations using older builds are susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity, and the EPSS score of less than 1% suggests a low exploitation probability. The exploit requires user interaction – specifically a long‑press to open a link – so it is largely dependent on social engineering. The vulnerability is not listed in CISA’s KEV catalog, further indicating a lower threat level.

Generated by OpenCVE AI on April 20, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Focus for iOS update (143.0 or newer).
  • If an update cannot be applied immediately, avoid using the long‑press contextual menu to open links from untrusted sources.
  • Stay informed of future security advisories from Mozilla regarding Focus for iOS.

Generated by OpenCVE AI on April 20, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29552 Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press This vulnerability affects Focus for iOS < 143.0.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press This vulnerability affects Focus for iOS < 143.0. Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press. This vulnerability was fixed in Focus for iOS 143.0.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title Opening links via the contextual menu in Focus for iOS would not update the toolbar UI correctly, allowing attackers to spoof websites

Fri, 19 Sep 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Focus
CPEs cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*
Vendors & Products Mozilla firefox Focus

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Mozilla
Mozilla focus For Ios
Vendors & Products Apple
Apple ios
Mozilla
Mozilla focus For Ios

Tue, 16 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Description Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press This vulnerability affects Focus for iOS < 143.0.
References

Subscriptions

Apple Ios
Mozilla Firefox Focus Focus For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:50.967Z

Reserved: 2025-09-11T17:59:15.574Z

Link: CVE-2025-10290

cve-icon Vulnrichment

Updated: 2025-09-16T17:30:18.323Z

cve-icon NVD

Status : Modified

Published: 2025-09-16T13:15:41.520

Modified: 2026-04-13T15:16:35.563

Link: CVE-2025-10290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:00:11Z

Weaknesses