Security researcher Shuichiro Suzuki of the Fourteenforty
Research Institute reported the app_tmp
directory is set to be
world readable and writeable by Firefox for Android. This potentially allows for
third party applications to replace or alter Firefox add-ons when downloaded
because they are temporarily stored in the app_tmp
directory before
installation.
This vulnerability only affects Firefox for Android.