HTTP/2 200
referrer-policy: strict-origin-when-cross-origin
cross-origin-opener-policy: same-origin
via: 1.1 google, 1.1 varnish, 1.1 varnish
x-backend-server: bedrock-5bfdbb6f5f-df54n.gcp-us-west1
strict-transport-security: max-age=31536000
content-language: en-US
expires: Fri, 10 Oct 2025 06:15:47 GMT
etag: "98bef8d2debaa1893e174e56b938bab8"
x-frame-options: DENY
x-clacks-overhead: GNU Terry Pratchett
cache-control: max-age=600
server: granian
content-security-policy-report-only: frame-ancestors 'none'; object-src 'none'; style-src 'self' www.mozilla.org; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com; upgrade-insecure-requests; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; default-src 'self' *.mozilla.org; base-uri 'none'; media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; font-src 'self' www.mozilla.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com
content-type: text/html; charset=utf-8
content-security-policy: frame-ancestors 'none'; object-src 'none'; style-src 'self' 'unsafe-inline' www.mozilla.org; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com; upgrade-insecure-requests; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; default-src 'self' *.mozilla.org; base-uri 'none'; media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; font-src 'self' www.mozilla.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com
x-content-type-options: nosniff
content-encoding: gzip
accept-ranges: bytes
age: 0
date: Fri, 10 Oct 2025 06:05:47 GMT
x-served-by: cache-bom-vanm7210025-BOM, cache-bom-vanm7210029-BOM
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1760076348.645324,VS0,VE306
vary: Accept-Encoding
content-length: 7146
Security Vulnerabilities fixed in Firefox for iOS 25 — Mozilla
Help us improve your Mozilla experience
In addition to Cookies necessary for this site to function, we’d like your permission to set some additional Cookies to better understand your browsing needs and improve your experience. Rest assured — we value your privacy.
Accept All Additional Cookies
Reject All Additional Cookies
Cookie settings
Mozilla Foundation Security Advisory 2020-15
Security Vulnerabilities fixed in Firefox for iOS 25
Announced
May 1, 2020
Impact
moderate Products
Firefox for iOS
Fixed in
Reporter
Vinoth Kumar
Impact
moderate
Description
For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token.
References
