CVE-2025-11717

CRITICAL
2025-10-14 [email protected]
Mozilla Google Information Disclosure Suse
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:43 vuln.today

DescriptionNVD

When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144.

AnalysisAI

Firefox for Android leaks password-related screen content through the Android task switcher card carousel, exposing sensitive information to local attackers with physical or remote access to the device. Affects Firefox for Android versions prior to 144. No public exploit identified at time of analysis, but exploitation is trivial requiring only device access and standard OS features. CVSS 9.1 reflects the unauthenticated network attack vector, though real-world exploitation typically requires local device access, making the practical risk moderate for most threat models.

Technical ContextAI

This is an information disclosure vulnerability (CWE-200) in Firefox for Android's task switcher integration. Android's Recent Apps carousel displays preview cards of running applications for quick switching. Firefox failed to properly redact or blank password-related screens (password edit interface) when the app was backgrounded, causing sensitive credential information to persist in the task switcher preview image. Instead of showing the intended black screen privacy protection, Firefox versions before 144 exposed the actual password management interface in the carousel thumbnail. This violates Android security best practices for handling sensitive data in app preview states, implemented through the FLAG_SECURE window flag or similar mechanisms. The vulnerability affects Mozilla Firefox for Android across all versions prior to the 144 release, as indicated by the CPE string cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade Firefox for Android to version 144 or later, which implements proper screen redaction for password-related interfaces in the Android task switcher. Download the patched version from Google Play Store or Mozilla's official distribution channels. The fix ensures that password edit screens display as black cards in the Recent Apps carousel, preventing credential exposure. No workarounds exist for earlier versions - upgrading is the only effective mitigation. Users unable to upgrade immediately should manually clear Firefox from the Recent Apps list after accessing password management features and avoid using password-related functions in public environments. Consult Mozilla Security Advisory MFSA2025-81 at https://www.mozilla.org/security/advisories/mfsa2025-81/ for complete remediation guidance and release notes. Enterprise deployments should prioritize updating managed Firefox for Android installations through MDM platforms.

Vendor StatusVendor

Share

CVE-2025-11717 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy