CVE-2026-2634: Vulnerability in Mozilla Firefox for iOS
Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4.
AI Analysis
Technical Summary
This vulnerability involves a scripting issue in Firefox for iOS that causes the address bar to become out of sync with the actual web content before a response is received. As a result, an attacker can craft pages that appear to be from trusted domains, effectively spoofing the URL shown to the user. The issue is tracked as CWE-451 and was reported to Mozilla, who fixed it in Firefox for iOS 147.4. The vulnerability has a CVSS v3.1 score of 9.8, reflecting its critical severity and ease of exploitation without privileges or user interaction.
Potential Impact
Successful exploitation allows attackers to present malicious web pages under spoofed domain names in Firefox for iOS, potentially enabling phishing or other social engineering attacks by misleading users about the true origin of the content. The impact affects confidentiality, integrity, and availability as indicated by the CVSS vector. No known active exploits have been reported at this time.
Mitigation Recommendations
Mozilla has released an official fix for this vulnerability in Firefox for iOS version 147.4. Users and administrators should update to this version or later to fully remediate the issue. There are no vendor advisories indicating that no action is required or that the issue is mitigated by other means. Patch status is confirmed as fixed in the specified version.
CVE-2026-2634: Vulnerability in Mozilla Firefox for iOS
Description
Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves a scripting issue in Firefox for iOS that causes the address bar to become out of sync with the actual web content before a response is received. As a result, an attacker can craft pages that appear to be from trusted domains, effectively spoofing the URL shown to the user. The issue is tracked as CWE-451 and was reported to Mozilla, who fixed it in Firefox for iOS 147.4. The vulnerability has a CVSS v3.1 score of 9.8, reflecting its critical severity and ease of exploitation without privileges or user interaction.
Potential Impact
Successful exploitation allows attackers to present malicious web pages under spoofed domain names in Firefox for iOS, potentially enabling phishing or other social engineering attacks by misleading users about the true origin of the content. The impact affects confidentiality, integrity, and availability as indicated by the CVSS vector. No known active exploits have been reported at this time.
Mitigation Recommendations
Mozilla has released an official fix for this vulnerability in Firefox for iOS version 147.4. Users and administrators should update to this version or later to fully remediate the issue. There are no vendor advisories indicating that no action is required or that the issue is mitigated by other means. Patch status is confirmed as fixed in the specified version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mozilla
- Date Reserved
- 2026-02-17T18:31:35.581Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 699daf6bbe58cf853bdddd68
Added to database: 2/24/2026, 2:02:19 PM
Last enriched: 4/14/2026, 11:59:51 AM
Last updated: 5/26/2026, 7:56:01 AM
Views: 314
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.