CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.
AnalysisAI
User interface spoofing in Firefox and Firefox Focus for Android's custom tab implementation allows remote attackers to misrepresent subdomain origins, enabling phishing attacks through crafted URLs. The custom tab feature truncates displayed hostnames to show only the parent domain, allowing malicious content on attacker-controlled subdomains (e.g., evil.example.com) to appear as legitimate sibling subdomains (e.g., legitimate.example.com). With CVSS 8.1 (High Confidentiality/Integrity impact) and no authentication required, this represents significant phishing risk for Android Firefox users. Patched in Firefox 144; no public exploit identified at time of analysis, though the UI flaw is straightforward to exploit.
Technical ContextAI
This vulnerability affects Mozilla Firefox and Firefox Focus browsers on Android, specifically the Custom Tabs feature which allows apps to display web content in a lightweight browser overlay. The flaw is classified as CWE-451 (User Interface Misrepresentation of Critical Information), where the browser UI fails to display the full hostname of the loaded page. Instead of showing the complete subdomain (e.g., 'attacker.bank.com'), the custom tab UI only displays the parent domain ('bank.com'). This creates an exploitable ambiguity: user-controlled content hosted on any subdomain appears to originate from the trusted parent domain. The CVSS vector indicates network-based exploitation (AV:N) with low complexity (AC:L) requiring no privileges (PR:N) but user interaction (UI:R). The unchanged scope (S:U) means the vulnerability is confined to the browser's security context, but both confidentiality and integrity impacts are rated High (C:H/I:H) due to credential theft and content manipulation risks.
RemediationAI
Update Firefox for Android to version 144 or later immediately, which contains the vendor-released patch addressing the UI spoofing flaw. Users can update via Google Play Store or by downloading Firefox 144+ directly from Mozilla's official distribution channels. Enterprise administrators managing Firefox for Android should prioritize deployment of version 144 through mobile device management (MDM) platforms. No workaround exists for this UI-level vulnerability-the custom tab hostname display logic requires code-level fixes included in the patched release. Firefox Focus for Android users should similarly upgrade to the corresponding patched version (verify latest available version addresses CVE-2025-11720). Consult Mozilla's security advisory MFSA2025-81 at https://www.mozilla.org/security/advisories/mfsa2025-81/ for complete remediation guidance. Bugzilla references https://bugzilla.mozilla.org/show_bug.cgi?id=1979534 and https://bugzilla.mozilla.org/show_bug.cgi?id=1984370 provide technical implementation details for security teams validating the fix.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today