CVE-2025-11718

MEDIUM
2025-10-14 [email protected]
Mozilla Google Information Disclosure Suse
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:45 vuln.today

DescriptionNVD

When the address bar was hidden due to scrolling on Android, a malicious page could create a fake address bar to fool the user in response to a visibilitychange event. This vulnerability was fixed in Firefox 144.

AnalysisAI

Firefox on Android allows remote attackers to display a fake address bar by exploiting the visibilitychange event when the legitimate address bar is hidden due to scrolling, enabling phishing attacks and user deception. The vulnerability affects Firefox versions prior to 144 and requires user interaction (clicking on the fake address bar). Mozilla released patched version Firefox 144 to address this issue, and there is no evidence of active exploitation at the time of analysis.

Technical ContextAI

This vulnerability exploits the DOM visibilitychange event on Firefox for Android to detect when the native address bar (also called the toolbar or URL bar) becomes hidden during page scrolling. The root cause is classified as CWE-451 (User Interface (UI) Misrepresentation of Critical Information), which indicates a failure to properly protect critical UI elements from being spoofed or obscured by web content. When the legitimate address bar disappears from view, malicious JavaScript can dynamically inject HTML/CSS to render a visually identical fake address bar, deceiving users into believing they are viewing the genuine browser UI. This is possible because web content has insufficient restrictions on mimicking browser chrome elements, and the timing of the visibilitychange event provides attackers with precise control over when the deception is deployed.

RemediationAI

Users should upgrade Firefox on Android to version 144 or later. Vendor-released patch: Firefox 144. No workarounds for users running older versions are available, as the fix requires patching the browser's event handling and UI rendering logic. Users unable to upgrade immediately should avoid clicking on suspicious links or address bars that appear unusual, and consider using alternative browsers until an update is available. For IT administrators managing Firefox deployments, ensure automatic update mechanisms are enabled and deploy Firefox 144 or later across all Android endpoints. Additional information and release notes are available at https://www.mozilla.org/security/advisories/mfsa2025-81/.

Vendor StatusVendor

Share

CVE-2025-11718 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy