Description
The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.
Published: 2025-02-04
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a logic flaw where the fullscreen notification is prematurely hidden when a user quickly requests fullscreen again. This could allow a malicious site to masquerade as a legitimate fullscreen program and deceive the user. The issue corresponds to CWE-1021 (Resource Spoofing) and CWE-451 (Masquerading) but does not enable code execution or privilege escalation, only spoofing or phishing‑like attacks.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird products released before version 135 are affected. The flaw was fixed in Firefox 135 and Thunderbird 135, as stated in the references.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity for potential spoofing. The EPSS score of less than 1 % shows a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation would require the victim to interact with a malicious site that requests fullscreen in rapid succession, making the defect local to the user’s browsing session and unlikely to be abused remotely. However, because spoofing can be employed in phishing campaigns, the impact could still be significant if a user is tricked into engaging with malicious full‑screen content.

Generated by OpenCVE AI on April 21, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 135 or later
  • Upgrade Mozilla Thunderbird to version 135 or later
  • Configure browser security settings or extensions to restrict or warn about fullscreen requests from untrusted origins until updates can be applied

Generated by OpenCVE AI on April 21, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1973 The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.
Ubuntu USN Ubuntu USN USN-7263-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135. The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.
Title firefox: thunderbird: Fullscreen notification is not displayed when fullscreen is re-requested Fullscreen notification is not displayed when fullscreen is re-requested

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00062}

 epss

{'score': 0.00078}

Fri, 07 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Fullscreen notification is not displayed when fullscreen is re-requested
Weaknesses CWE-451
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 06 Feb 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Wed, 05 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Description The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:10.866Z

Reserved: 2025-02-04T07:26:42.829Z

Link: CVE-2025-1018

cve-icon Vulnrichment

Updated: 2025-02-05T16:17:44.977Z

cve-icon NVD

Status : Modified

Published: 2025-02-04T14:15:32.727

Modified: 2026-04-13T15:16:50.840

Link: CVE-2025-1018

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-02-04T13:58:52Z

Links: CVE-2025-1018 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses