CVE-2025-1019 — UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021 — UI Misrepresentation / Clickjacking CWE-451 — User Interface (UI) Misrepresentation of Critical Information11 documents8 sources

Severity

4.3MEDIUMNVD

OSV9.8

EPSS

0.3%

top 47.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedFeb 4

Latest updateFeb 2

Description

The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmozilla/firefox< 135.0

▶NVDmozilla/thunderbird131.0 — 135.0

▶Ubuntumozilla/firefox< 135.0+build2-0ubuntu0.20.04.1

▶Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

OSV

firefox vulnerabilities↗2025-02-11

▶

OSV

CVE-2025-1019: The z-order of the browser windows could be manipulated to hide the fullscreen notification↗2025-02-04

▶

GHSA

GHSA-gg39-4c5c-pfx2: The z-order of the browser windows could be manipulated to hide the fullscreen notification↗2025-02-04

▶

CVEList

Fullscreen notification not properly displayed↗2025-02-04

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Ubuntu

Firefox vulnerabilities↗2025-02-11

▶

Red Hat

firefox: thunderbird: Fullscreen notification not properly displayed↗2025-02-04

▶

Debian

CVE-2025-1019: firefox - The z-order of the browser windows could be manipulated to hide the fullscreen n...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-07: CVE-2025-1019↗

▶