Description
A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly.
*This issue only affects Android versions of Firefox.*. This vulnerability was fixed in Firefox 136.
Published: 2025-03-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unintended launch of external applications via visual deception
Action: Patch
AI Analysis

Impact

A select element can partially hide the confirmation dialog that appears before an Android app launches an external intent, misleading users into believing they are consenting. The result is an unexpected launch of a potentially malicious or unwanted external application. This is a usability‑based exploitation, mapped to the UI deception weakness.

Affected Systems

Mozilla Firefox on Android platforms, before version 136. Users running older Android versions of Firefox are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate impact with possible business damage and privacy concerns. EPSS is below 1 %, suggesting exploitation is rare at the moment. The vulnerability is not listed in CISA KEV and therefore is not known to be actively exploited. The attack vector is inferred to rely on user interaction; an attacker would need to trick a user into selecting an option that overlays the confirmation prompt, which requires social engineering.

Generated by OpenCVE AI on April 20, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox Android version 136 or later, which removes the UI deception issue.
  • Apply any available Android OS security updates that may patch related intent handling vulnerabilities.
  • Disable any third‑party applications or overlays that alter the Android UI, as these can amplify the impact of UI‑based attacks.

Generated by OpenCVE AI on April 20, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7442 A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.* This vulnerability affects Firefox < 136.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.* This vulnerability affects Firefox < 136. A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*. This vulnerability was fixed in Firefox 136.
Title firefox: Android Intent confirmation prompt tapjacking using Select options Android Intent confirmation prompt tapjacking using Select options

Thu, 03 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Wed, 05 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
Title firefox: Android Intent confirmation prompt tapjacking using Select options
Weaknesses CWE-451
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 04 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.* This vulnerability affects Firefox < 136.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:23.514Z

Reserved: 2025-03-04T12:29:45.975Z

Link: CVE-2025-1940

cve-icon Vulnrichment

Updated: 2025-03-04T15:57:29.783Z

cve-icon NVD

Status : Modified

Published: 2025-03-04T14:15:38.950

Modified: 2026-04-13T15:16:53.607

Link: CVE-2025-1940

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-03-04T13:31:24Z

Links: CVE-2025-1940 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses