CVE-2025-55029 is a high-severity vulnerability affecting Mozilla Firefox for iOS versions prior to 142. The flaw allows malicious scripts to bypass the browser's popup blocker mechanism, enabling attackers to spam new tabs or popups uncontrollably. This behavior can lead to denial of service (DoS) conditions by overwhelming the browser and the device's resources, causing performance degradation or crashes. The vulnerability is classified under CWE-400, which relates to uncontrolled resource consumption. The CVSS v3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges or user interaction required, and a high impact on availability. The vulnerability does not affect confidentiality or integrity but severely impacts availability by enabling resource exhaustion through popup spamming. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue specifically targets Firefox for iOS, which uses Apple's WebKit engine but implements its own UI and popup blocking logic, where the bypass occurs. This vulnerability could be exploited remotely via crafted web content or malicious websites that execute scripts triggering the popup spam. Since no user interaction or authentication is needed, the attack surface is broad, especially for users browsing untrusted sites. The lack of a patch at the time of publication increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk primarily to users and employees who use Firefox for iOS on corporate or personal devices. The uncontrolled spawning of popups can disrupt normal browsing activities, degrade device performance, and potentially lead to device crashes or forced restarts. This can interrupt business operations, reduce productivity, and increase support costs. In sectors relying on mobile web access, such as finance, healthcare, and government services, the availability impact could hinder critical workflows. Additionally, attackers could leverage this DoS vector as part of a broader attack campaign to distract or disable users, potentially facilitating other social engineering or phishing attacks. The vulnerability's exploitation does not compromise data confidentiality or integrity directly but can indirectly affect operational continuity and user trust. Organizations with mobile device management (MDM) policies that allow Firefox for iOS should be aware of this risk and monitor for unusual browser behavior or popup spam incidents.

1. Immediate mitigation involves advising users to avoid visiting untrusted or suspicious websites using Firefox for iOS until a patch is released. 2. Organizations should consider temporarily restricting or disabling Firefox for iOS usage on managed devices via MDM solutions. 3. Monitor network traffic and endpoint logs for signs of abnormal popup activity or browser crashes that may indicate exploitation attempts. 4. Educate users about the risk of popup spam and encourage reporting of unusual browser behavior. 5. Once Mozilla releases an official patch, prioritize prompt deployment across all affected devices. 6. Consider deploying alternative browsers on iOS that are not affected by this vulnerability if urgent browsing needs exist. 7. Implement web content filtering or DNS filtering to block access to known malicious sites that could exploit this vulnerability. 8. Maintain up-to-date threat intelligence feeds to track any emerging exploits or attack campaigns leveraging this vulnerability.