Description
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Clickjacking
Action: Upgrade
AI Analysis

Impact

The PDF Viewer component in Firefox and Thunderbird contains a clickjacking vulnerability that lets a malicious site cause the user to unintentionally interact with a PDF document, potentially revealing sensitive information. The flaw was addressed by correcting how the viewer handles user interactions, preventing the unintended disclosure. The weakness aligns with CWE‑497, where the component fails to restrict operations within the user's privilege bounds.

Affected Systems

Firefox versions earlier than 147 and Firefox ESR versions earlier than 140.7, and Thunderbird versions earlier than 147 and Thunderbird ESR versions earlier than 140.7 are subject to the flaw. Mozilla products listed as affected include both Firefox and Thunderbird, encompassing their standard and extended support releases.

Risk and Exploitability

The vulnerability scores a CVSS of 4.3, a low to moderate severity level, and an EPSS score of less than 1%, indicating a very low likelihood of exploitation. It is not currently catalogued in CISA’s KEV. Attackers would need to host a malicious web page that embeds a PDF and induce the victim to click on the document area, exploiting the clickjacking flaw to expose document contents. No remote code execution or privilege escalation has been documented.

Generated by OpenCVE AI on April 15, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 147 or newer, or Firefox ESR 140.7 or newer.
  • Upgrade Thunderbird to version 147 or newer, or Thunderbird ESR 140.7 or newer.
  • If an upgrade is not immediately possible, disable the built‑in PDF viewer or configure the browser to open PDFs in an external viewer to prevent the clickjacking vector.

Generated by OpenCVE AI on April 15, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7. Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 13 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-497
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7.
Title Clickjacking issue, information disclosure in the PDF Viewer component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:59.523Z

Reserved: 2026-01-13T13:30:57.650Z

Link: CVE-2026-0887

cve-icon Vulnrichment

Updated: 2026-01-13T20:29:00.023Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:39.240

Modified: 2026-04-13T15:17:17.927

Link: CVE-2026-0887

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-13T13:30:57Z

Links: CVE-2026-0887 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses