CVE-2025-1018 — UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021 — UI Misrepresentation / Clickjacking CWE-451 — User Interface (UI) Misrepresentation of Critical Information11 documents8 sources

Severity

5.3MEDIUMNVD

OSV9.8

EPSS

0.2%

top 60.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedFeb 4

Latest updateFeb 2

Description

The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDmozilla/firefox< 135.0

▶NVDmozilla/thunderbird131.0 — 135.0

▶Ubuntumozilla/firefox< 135.0+build2-0ubuntu0.20.04.1

▶Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

OSV

firefox vulnerabilities↗2025-02-11

▶

OSV

CVE-2025-1018: The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user↗2025-02-04

▶

GHSA

GHSA-cj2j-jvqc-2vrv: The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user↗2025-02-04

▶

CVEList

Fullscreen notification is not displayed when fullscreen is re-requested↗2025-02-04

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Ubuntu

Firefox vulnerabilities↗2025-02-11

▶

Red Hat

firefox: thunderbird: Fullscreen notification is not displayed when fullscreen is re-requested↗2025-02-04

▶

Debian

CVE-2025-1018: firefox - The fullscreen notification is prematurely hidden when fullscreen is re-requeste...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-11: CVE-2025-1018↗

▶