Description
A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
Published: 2025-03-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized default protocol handler registration resulting in potential user identity spoofing
Action: Patch
AI Analysis

Impact

A web page could trick a user into setting that site as the default handler for a custom URL protocol. Based on the description, it is inferred that an attacker could employ clickjacking techniques to cause the registration to happen without genuine user intent, giving the attacker the ability to hijack URLs targeted to the custom protocol. This results in an unauthorized capability that could be abused to direct traffic or manipulate user interactions.

Affected Systems

Systems affected include Mozilla Firefox and Mozilla Thunderbird, specifically any versions prior to Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Linux distributions that bundle these browsers, such as Red Hat Enterprise Linux 8 and 9 and their extended support releases, are also impacted when they run the vulnerable browser versions.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate impact, while the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of exploitation. The likely attack vector, inferred from the description, requires a user to visit a malicious web page that uses clickjacking to bypass the default handler prompt; no remote code execution is required.

Generated by OpenCVE AI on April 21, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 136 or later, or the ESR 128.8 release, and upgrade Mozilla Thunderbird to version 136 or later or ESR 128.8.
  • Disable the registerProtocolHandler feature via the browser’s configuration settings to prevent automatic protocol handler registration, mitigating clickjacking by removing the default handling prompt.
  • Configure content security policies and X-Frame-Options headers in any web content served through the browser to mitigate potential cross‑site scripting and clickjacking exploitation, thereby strengthening user input validation and output encoding.

Generated by OpenCVE AI on April 21, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4078-1 firefox-esr security update
Debian DLA Debian DLA DLA-4081-1 thunderbird security update
Debian DSA Debian DSA DSA-5874-1 firefox-esr security update
Debian DSA Debian DSA DSA-5876-1 thunderbird security update
EUVD EUVD EUVD-2025-7440 A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
Ubuntu USN Ubuntu USN USN-7334-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8. A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
Title firefox: Clickjacking the registerProtocolHandler info-bar Reporter Clickjacking the registerProtocolHandler info-bar

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Tue, 25 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 14 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Wed, 12 Mar 2025 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Mon, 10 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus

Fri, 07 Mar 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8

Thu, 06 Mar 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 05 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
Title firefox: Clickjacking the registerProtocolHandler info-bar Reporter
Weaknesses CWE-1021
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 05 Mar 2025 00:00:00 +0000

Type Values Removed Values Added
Description A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox < 136 and Firefox ESR < 128.8. A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
References

Tue, 04 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox < 136 and Firefox ESR < 128.8.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:42.195Z

Reserved: 2025-03-04T12:29:38.170Z

Link: CVE-2025-1935

cve-icon Vulnrichment

Updated: 2025-11-03T20:57:21.111Z

cve-icon NVD

Status : Modified

Published: 2025-03-04T14:15:38.390

Modified: 2026-04-13T15:16:52.633

Link: CVE-2025-1935

cve-icon Redhat

Severity : Low

Publid Date: 2025-03-04T13:31:25Z

Links: CVE-2025-1935 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses