+++ This bug was initially created as a clone of Bug #1725626 +++

Steps to reproduce:

Self UXSS have been identified in firefox andriod browser
,Normally while pasting javascript:URI in firefox desktop URLBAR/OMNIBOX the Javascript word is removed and also if we type also the XSS won't happen
.But in andriod browser it can be pasted and xss can done

1.Go to any website in firefox
2.Pase the url javascript:alert(1) or javascript:alert(document.cookie)

Actual results:

SELF UXSS

Expected results:

SELF UXSS

Unlike Fenix, Javascript:alert(1) with a capital-J does not work, it has to be javascript:alert(1) with an all lower-case scheme. Clearly there is different normalization going on in Focus. Or zero normalization and then a whitelist of allowed schemes?

Given the single-task nature of Focus it might be simplest to drop support for javascript: in the addressbar entirely -- this is not exactly a power-user browser. It still does need to be supported in content since this is both valid and still common on sites.

In focus this issue has been fixed,Any updates about fix on firefox andriod browser?

This has not been fixed in Focus.

Will i get bounty for this security bug?

Cc to Amedyne to delegate to the Focus Android engineering team.

Working with the Focus Android team to evaluate this.

Focus uses the same browser toolbar as Fenix, from AC. This issue should be fixed by the same AC PR as Fenix.

This has been resolved.

As a MoCo employee I'm not eligible for a bug bounty. Essentially this is a dupe of the reporter's bug 1725626, which was a bug in the shared Android Components. I filed this dupe as a release-tracking placeholder.