CVE-2025-1939 — Exposure of Private Personal Information to an Unauthorized Actor in Mozilla Firefox

CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor CWE-1021 — UI Misrepresentation / Clickjacking10 documents8 sources

Severity

3.9LOWNVD

OSV5.5

EPSS

0.1%

top 67.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Mozilla Firefox

Timeline

PublishedMar 4

Latest updateJan 14

Description

Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.5

Affected Packages2 packages

▶NVDmozilla/firefox< 136.0

▶Linuxlinux/linux_kernel6.5.0 — 6.6.120+2

🔴Vulnerability Details

OSV

f2fs: ensure node page reads complete before f2fs_put_super() finishes↗2026-01-14

▶

GHSA

GHSA-x9h6-qwxm-528g: Android apps can load web pages using the Custom Tabs feature↗2025-03-04

▶

OSV

CVE-2025-1939: Android apps can load web pages using the Custom Tabs feature↗2025-03-04

▶

CVEList

Tapjacking in Android Custom Tabs using transition animations↗2025-03-04

▶

📋Vendor Advisories

Red Hat

kernel: f2fs: ensure node page reads complete before f2fs_put_super() finishes↗2026-01-14

▶

Red Hat

firefox: Tapjacking in Android Custom Tabs using transition animations↗2025-03-04

▶

Debian

CVE-2025-1939: firefox - Android apps can load web pages using the Custom Tabs feature. This feature supp...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-14: CVE-2025-1939↗

▶