In Firefox for Android serious in protocol implementation Used to discover network services on a local network. The vulnerability allows an attacker on the same local or wireless network to respond to Firefox probe requests with a UPnP XML "LOCATION" message with , with which you can open an arbitrary URI in the browser or call other application handlers.
The problem manifests itself until the release and fixed in the version of Firefox for Android 79, i.e. old classic releases of Firefox for Android are vulnerable and require migrating to blocking the issue browser (Fenix), which uses the GeckoView engine, built on Firefox Quantum technologies, and a set of libraries . The desktop version of Firefox is not affected.
For vulnerability testing working prototype of the exploit. The attack is carried out without any action on the part of the user, it is enough that the vulnerable Firefox for Android browser is running on the mobile device and that the victim is on the same subnet as the attacker's SSDP server.
Firefox for Android periodically broadcasts (multicast UDP) SSDP messages to detect broadcast devices present on the local network, such as media players and smart TVs. All devices on the local network receive these messages and are able to send a response. In normal mode, the device returns a link to the location of the XML file with information about the device that supports UPnP. When conducting an attack, instead of a reference to XML, you can pass a URI with intent commands for Android.
Using intent commands, you can redirect the user to phishing sites or send a link to an xpi file (the browser will prompt you to install the add-on). Since the attacker's responses are not limited in any way, he may try to starve and flood the browser with installation suggestions or malicious sites in the hope that the user will make a mistake and click on the installation of a malicious package. In addition to opening arbitrary links in the browser itself, intent commands can be used to process content in other Android applications, for example, you can open a letter template in an email client (URI mailto:) or launch an interface to make a call (URI tel:).
Source: opennet.ru