Description
The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.
Published: 2025-02-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing via z‑order manipulation of fullscreen notifications
Action: Upgrade Vendor
AI Analysis

Impact

The vulnerability allows an attacker to manipulate the z‑order of browser or email client windows, enabling a fullscreen notification to be hidden from view. If the notification is suppressed, a user may unknowingly interact with a malicious page or email source while believing a legitimate fullscreen alert is present, potentially leading to spoofing or phishing attacks. The weakness is rooted in rendering order control (CWE‑1021) and misuse of system resource management (CWE‑451).

Affected Systems

Mozilla Firefox and Mozilla Thunderbird applications are affected. Versions released prior to Firefox 135 and Thunderbird 135 contain the flaw; subsequent releases contain a fix and therefore are not vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity, while the EPSS score indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation has been observed. Exploitation would likely require local access or the presence of malicious code running in the user’s environment; remote exploitation is not supported by the available data. The attack is best‑effort and depends on window‑management manipulation rather than remote code execution or privilege escalation.

Generated by OpenCVE AI on April 20, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox or Thunderbird to version 135 or newer
  • If an upgrade is not immediately possible, disable or restrict fullscreen notifications in the application settings
  • Ensure that the operating system’s window‑manager security settings are configured to prevent unauthorized z‑order changes
  • Monitor for abnormal application behavior that could indicate notification suppression or spoofing attempts

Generated by OpenCVE AI on April 20, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1974 The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.
Ubuntu USN Ubuntu USN USN-7263-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135. The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.
Title firefox: thunderbird: Fullscreen notification not properly displayed Fullscreen notification not properly displayed

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00046}

 epss

{'score': 0.00059}

Fri, 07 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Fullscreen notification not properly displayed
Weaknesses CWE-451
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 06 Feb 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Wed, 05 Feb 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Description The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:16.746Z

Reserved: 2025-02-04T07:26:45.552Z

Link: CVE-2025-1019

cve-icon Vulnrichment

Updated: 2025-02-05T19:05:14.231Z

cve-icon NVD

Status : Modified

Published: 2025-02-04T14:15:32.850

Modified: 2026-04-13T15:16:51.027

Link: CVE-2025-1019

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-02-04T13:58:54Z

Links: CVE-2025-1019 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses