This vulnerability involves Firefox for iOS's QR code scanner improperly handling URLs that use Firefox's open-text URL scheme. An attacker could craft a malicious QR code that, when scanned, causes the browser to open arbitrary websites without user consent. This behavior stems from insufficient validation or restrictions on the open-text URL scheme within the QR scanner functionality. The issue was fixed in Firefox for iOS 141, as confirmed by Mozilla's security advisory MFSA2025-60.

If exploited, this vulnerability could lead to arbitrary websites being opened on a victim's device without explicit user intent, potentially exposing users to phishing or other web-based attacks. The CVSS score of 9.1 reflects high confidentiality and integrity impact with no required privileges or user interaction beyond scanning the QR code. However, Mozilla rates the impact as moderate, possibly reflecting the requirement for user action (scanning a QR code) and the nature of the impact limited to opening URLs rather than direct code execution or data compromise.

A fix is available in Firefox for iOS version 141. Users and administrators should update to this version or later to remediate the vulnerability. Since the vendor advisory confirms the fix, no additional mitigation steps are required beyond applying the official update.