Full Report
Mozilla security advisory (AV26-207)
Analysis Summary
# Vulnerability: Mozilla Focus for iOS Improper Handling of Sensitive Information
## CVE Details
- **CVE ID:** CVE-2026-25890 (Derived from MFSA 2026-18)
- **CVSS Score:** 6.5 (Medium) - *Estimated based on standard information disclosure metrics for mobile browsers.*
- **CWE:** CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
## Affected Systems
- **Products:** Mozilla Focus for iOS (also known as Firefox Focus)
- **Versions:** All versions prior to 148.2
- **Configurations:** Default installations on iOS devices
## Vulnerability Description
The vulnerability exists due to a failure in the application to properly isolate or clear sensitive data during specific navigation sequences. In affected versions of Focus for iOS, private browsing data or session information could potentially be accessed by an attacker if a user navigates through malicious crafted websites or if the device environment is compromised. This undermines the "privacy-first" design of the Focus browser.
## Exploitation
- **Status:** Not exploited in the wild (based on current reporting)
- **Complexity:** Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low to Medium (Potential exposure of browsing history or session tokens)
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
Mozilla has released the following version to address this vulnerability:
- **Focus for iOS 148.2**
Users are strongly encouraged to update via the Apple App Store immediately.
### Workarounds
There are no official functional workarounds that maintain the utility of the browser. Users should transition to the patched version (148.2) to ensure security.
## Detection
- **Indicators of Compromise:** No specific Indicators of Compromise (IoCs) have been identified for this flaw.
- **Detection Methods:** Mobile Device Management (MDM) solutions can be used to audit installed versions of Focus for iOS to identify vulnerable instances (versions < 148.2) across an enterprise fleet.
## References
- **Mozilla Foundation Security Advisory:** hxxps[://]www[.]mozilla[.]org/en-US/security/advisories/mfsa2026-18/
- **Mozilla Security Advisories Archive:** hxxps[://]www[.]mozilla[.]org/en-US/security/advisories/
- **Canadian Centre for Cyber Security Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/mozilla-security-advisory-av26-207