Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS < 148.2.
PUBLISHED5.2
Attacker-controlled content shown under spoofed domains in Focus for iOS via stalled navigation and iframe redirect
Affected products
Mozilla
Focus for iOS
< 148.2 - AFFECTED
References
bugzilla.mozilla.org
https://bugzilla.mozilla.org/show_bug.cgi?id=1975842
mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-18/
GitHub Security Advisories
GHSA-c64m-p38j-gxh3
Malicious scripts could display attacker-controlled web content under spoofed domains in Focus...
https://github.com/advisories/GHSA-c64m-p38j-gxh3Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS < 148.2.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-2919Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-2919",
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"dateUpdated": "2026-03-09T14:43:51.521Z",
"dateReserved": "2026-02-20T22:12:39.140Z",
"datePublished": "2026-03-09T13:27:49.158Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla",
"dateUpdated": "2026-03-09T13:27:49.158Z"
},
"title": "Attacker-controlled content shown under spoofed domains in Focus for iOS via stalled navigation and iframe redirect",
"descriptions": [
{
"lang": "en",
"value": "Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS < 148.2.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS < 148.2."
}
]
}
],
"affected": [
{
"vendor": "Mozilla",
"product": "Focus for iOS",
"versions": [
{
"version": "unspecified",
"status": "affected",
"versionType": "custom",
"lessThan": "148.2"
}
]
}
],
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1975842"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-18/"
}
],
"credits": [
{
"lang": "en",
"value": "Renwa Hiwa"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-03-09T14:43:51.521Z"
},
"title": "CISA ADP Vulnrichment",
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"cweId": "CWE-451",
"type": "CWE"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM"
}
},
{}
]
}
]
}
}