Firefox for Android addressbar can be removed after fullscreen mode
Announced: November 3, 2015
Reporter: Jordi Chancel
Fixed in: Firefox 42
Security researcher Jordi Chancel reported when Firefox
for Android exits fullscreen mode, it can be induce through script to not restore the
addressbar when the window is redrawn in normal mode. This could allow an attacker to
spoof the addressbar with their own content.
This issue only affects Firefox for Android. Firefox on other operating systems is not affected.
Vulnerability demonstration (video):