Impact
Users for Firefox Lite can be tricked into loading a web page that presents itself as a different page by modifying (spoofing) the URL shown in the location bar.
It is possible to spoof Firefox Lite full address bar with secure padlock, by typing or pasting URL on website with empty response body (https://www.google.com/csi) or closed port (https://www.google.com:82) to the address bar. While Firefox Lite loads the content, the target website URL stays on the address bar, so we can spoof current content using unBeforeUnload event.
Patches
This issue has been patched in Firefox Lite 2.6.1, which is available through the Google Play Store (not available in all regions) or for direct download through the 2.6.1 Release page.
Workarounds
No workaround is available. It is recommended to upgrade to Firefox Lite 2.6.1.
References
This issue is documented and discussed in Bugzilla #1681103.
For more information
If you have any questions or comments about this advisory:
sourc7 Analyst
Impact
Users for Firefox Lite can be tricked into loading a web page that presents itself as a different page by modifying (spoofing) the URL shown in the location bar.
Patches
This issue has been patched in Firefox Lite 2.6.1, which is available through the Google Play Store (not available in all regions) or for direct download through the 2.6.1 Release page.
Workarounds
No workaround is available. It is recommended to upgrade to Firefox Lite 2.6.1.
References
This issue is documented and discussed in Bugzilla #1681103.
For more information
If you have any questions or comments about this advisory: