Description
Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.
Published: 2025-08-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized download initiation from sandboxed iframes
Action: Apply Patch
AI Analysis

Impact

Firefox for Android allowed a sandboxed iframe that lacked the allow-downloads attribute to trigger file downloads. This flaw, identified as CWE‑732, permits untrusted web content to initiate arbitrary downloads without the user's explicit consent, potentially exposing users to malicious files, phishing, or malware. The impact is the compromise of user data integrity and confidentiality through unwanted downloads and could facilitate further infection or data exfiltration.

Affected Systems

Mozilla Firefox for Android is affected. Versions prior to 141 contain the vulnerability; the issue was fixed in the 141 release. Users running earlier builds are at risk.

Risk and Exploitability

The CVSS score of 9.8 classifies the vulnerability as critical. However, the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. It is not listed in CISA's KEV catalog. The likely attack vector is a malicious or compromised web page that embeds a sandboxed iframe without allow-downloads, drawing the user to download malicious payloads. The condition for exploitation requires the victim to view such content in Firefox for Android.

Generated by OpenCVE AI on April 20, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 141 or later.
  • If an immediate upgrade is not possible, disable automatic downloads or enforce stricter download policies in the Android device settings.
  • For web developers, add the allow-downloads attribute to sandboxed iframes to prevent background download initiation.

Generated by OpenCVE AI on April 20, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25232 Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141. Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.
Title Sandboxed iframe could start downloads

Fri, 19 Sep 2025 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Mozilla
Mozilla firefox
Vendors & Products Google
Google android
Mozilla
Mozilla firefox

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-732
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 Aug 2025 21:00:00 +0000

Type Values Removed Values Added
Description Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141.
References

Subscriptions

Google Android
Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:31.459Z

Reserved: 2025-07-22T10:14:13.121Z

Link: CVE-2025-8042

cve-icon Vulnrichment

Updated: 2025-08-20T14:03:33.799Z

cve-icon NVD

Status : Modified

Published: 2025-08-19T21:15:29.383

Modified: 2026-04-13T15:17:12.573

Link: CVE-2025-8042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses