Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.CreditsAxel Chong (@Haxatron)Referenceshttps://bugzilla.mozilla.org/show_bug.cgi?id=1791322https://www.mozilla.org/security/advisories/mfsa2025-56/
