When the address bar in Firefox on Android hides because the user scrolls, a malicious web page can trigger the visibilitychange event to detect the hide, and then create a fake address bar overlay that looks like the real one. The fake bar can display arbitrary domain names or URLs to mislead the user into thinking they are on a trusted site, enabling phishing or other social‑engineering attacks. No code is executed; the issue is a UI deception flaw that undermines user trust.

This flaw affects the Mozilla Firefox browser on Android devices, specifically all releases prior to version 144. It also relies on the Android operating system’s handling of the visibilitychange event, so any device running Android that has an unfixed version of Firefox is susceptible. The movement of the address bar during scrolling is the trigger that the malicious page exploits.

The CVSS score of 6.5 classifies the vulnerability as a moderate severity compromise of user interface integrity. The EPSS score of less than 1% indicates a very low likelihood of widespread exploitation at present, and the flaw is not currently catalogued in the CISA KEV list. An attacker needs only a malicious webpage loaded in the victim’s Firefox browser on an Android device; no additional privileges or network access are required. Once the page gains visibilitychange access it can overlay the spoofed bar immediately, making the attack surface narrow but readily reproducible in a typical browsing session.