Description
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.
Published: 2025-10-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing via Android custom tabs
Action: Upgrade promptly
AI Analysis

Impact

The vulnerability limits the information shown in the Firefox and Firefox Focus user interface for Android custom tabs to only the site name, omitting the full hostname. Content served from a subdomain of a legitimate site could therefore appear to come from a different subdomain, potentially misleading a user about the origin of the content. This deceptive display may allow a malicious party to trick a user into accepting or interacting with content that it believes is from a trusted domain.

Affected Systems

Mozilla’s Firefox and Firefox Focus browsers running on Android devices are affected. The flaw exists in all releases prior to Firefox 144. Devices with older versions of these browsers are vulnerable to the spoofing risk described.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, while the EPSS score of less than 1% indicates that the likelihood of exploitation is low but not negligible. This vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation campaigns are documented. Based on the description, it is inferred that the likely attack vector involves an application that opens a custom tab to a malicious subdomain; the attacker leverages the limited hostname display to deceive the user without needing code execution or elevated privileges. The risk remains significant because users may trust the displayed site name and interact with dangerous content.

Generated by OpenCVE AI on April 20, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox and Firefox Focus to version 144 or later on all Android devices.
  • If an immediate upgrade is not feasible, disable the custom tabs feature in Firefox (Settings → Privacy & Security → Custom Tabs) to remove the spoofing risk until a patch is applied.
  • For enterprise environments, restrict or block third‑party applications that use the Android custom tab intent with known phishing domains until the update is deployed.

Generated by OpenCVE AI on April 20, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability affects Firefox < 144. The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title Spoofing risk in Android custom tabs

Wed, 15 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google
Google android
Mozilla
Mozilla firefox

Wed, 15 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Description The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability affects Firefox < 144.
References

Subscriptions

Google Android
Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:25.625Z

Reserved: 2025-10-13T19:50:22.446Z

Link: CVE-2025-11720

cve-icon Vulnrichment

Updated: 2025-10-15T13:18:37.511Z

cve-icon NVD

Status : Modified

Published: 2025-10-14T13:15:38.400

Modified: 2026-04-13T15:16:41.423

Link: CVE-2025-11720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses