Description
Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.
Published: 2025-03-04
Score: 3.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized permission granting via tapjacking
Action: Apply patch
AI Analysis

Impact

Android applications can use Custom Tabs to display web content and support transition animations that allow attackers to mask the true clickable target. The weakness, classified as CWE-1021 and CWE-359, enables malicious code to mislead a user into granting permissions they did not intend to provide. The impact is that a user might unwittingly consent to sensitive permissions, exposing personal data and potentially allowing further malicious activity.

Affected Systems

This issue affects Firefox applications on Android that employ Custom Tabs, specifically any release prior to Firefox 136. Mobile apps relying on old Firefox Custom Tab integration are vulnerable.

Risk and Exploitability

The CVSS score of 3.9 reflects a low severity, and the EPSS value of <1 % indicates a very small probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an Android application that loads malicious content in a Custom Tab and uses transition animations to hide the real click target, thereby tricking the user into granting permissions. Given the low severity and exploitation likelihood, the overall risk remains modest but still warrants timely remediation.

Generated by OpenCVE AI on April 20, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 136 or later on all Android devices that use Custom Tabs.
  • If updating is delayed, reduce or disable the use of transition animations in Custom Tabs through application or system settings.
  • Educate users to scrutinize permission prompts and avoid granting permissions when the interface does not clearly match the requested action.
  • Where feasible, replace Custom Tab usage with a standard WebView that gives developers direct control over UI elements.

Generated by OpenCVE AI on April 20, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6162 Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox < 136.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox < 136. Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.
Title firefox: Tapjacking in Android Custom Tabs using transition animations Tapjacking in Android Custom Tabs using transition animations

Mon, 08 Sep 2025 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 03 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Wed, 05 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-359
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 3.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Wed, 05 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
Title firefox: Tapjacking in Android Custom Tabs using transition animations
Weaknesses CWE-1021
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

threat_severity

Important

Tue, 04 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox < 136.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:21.704Z

Reserved: 2025-03-04T12:29:44.141Z

Link: CVE-2025-1939

cve-icon Vulnrichment

Updated: 2025-09-07T23:09:55.634Z

cve-icon NVD

Status : Modified

Published: 2025-03-04T14:15:38.837

Modified: 2026-04-13T15:16:53.420

Link: CVE-2025-1939

cve-icon Redhat

Severity : Important

Publid Date: 2025-03-04T13:31:22Z

Links: CVE-2025-1939 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses