Description
Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.
Published: 2026-02-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing of content under trusted domains via new‑tab page desynchronization
Action: Update Browser
AI Analysis

Impact

Malicious scripts that interrupt the loading of a new tab can desynchronize the browser’s address bar and the displayed page, allowing an attacker to inject arbitrary HTML that appears to come from a trusted site. The vulnerability is a client–side scripting flaw that results in deceptive content presentation without the user’s knowledge. It can be exploited by any site that hosts such scripts and does not trigger within a trusted domain context. This flaw permits attackers to mislead users into believing they are on a legitimate site while actually serving malicious content.

Affected Systems

Mozilla’s Firefox for iOS is vulnerable. The issue was addressed in Firefox for iOS version 147.2.1 and subsequent releases. Users operating older versions of Firefox on iOS devices must upgrade to eliminate the risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, indicating moderate risk. The EPSS score of less than 1% implies that the likelihood of exploitation is very low at present. The flaw is not listed in the CISA KEV catalog, which further reduces the perceived threat. Exploitation appears to require the user to load a malicious script that interferes with new‑tab navigation; remote exploitation over the network is not directly indicated in the description, so the attack vector is likely user‑initiated browsing. The official fix is a software update, which mitigates the flaw by preventing the script interruption entirely.

Generated by OpenCVE AI on April 15, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox for iOS 147.2.1 or later, which removes the script interruption bug
  • Disable or restrict third‑party JavaScript execution in Firefox’s privacy settings to reduce the chance of malicious scripts causing the desynchronization
  • Monitor browser behavior for unexpected new‑tab page changes and report any suspicious activity to Mozilla

Generated by OpenCVE AI on April 15, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability affects Firefox for iOS < 147.2.1. Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.

Wed, 18 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*
Vendors & Products Mozilla firefox

Tue, 17 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290

Tue, 17 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox For Ios
Vendors & Products Mozilla
Mozilla firefox For Ios

Mon, 16 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability affects Firefox for iOS < 147.2.1.
Title Interrupted page loads in new tabs could allow website spoofing under trusted domains in Firefox iOS
References

Subscriptions

Mozilla Firefox Firefox For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-14T15:09:28.604Z

Reserved: 2026-02-06T00:51:21.376Z

Link: CVE-2026-2032

cve-icon Vulnrichment

Updated: 2026-02-17T14:50:51.074Z

cve-icon NVD

Status : Modified

Published: 2026-02-16T15:18:34.620

Modified: 2026-04-13T15:17:19.800

Link: CVE-2026-2032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses