Impact
The vulnerability is a clickjacking flaw in the Widget: Gtk component used by Mozilla's Firefox and Thunderbird. It allows an attacker to embed content that tricks users into interacting with hidden controls, potentially leading to unintended actions. The weakness is classified as CWE‑1021, reflecting UI deception. The CVSS score of 5.4 indicates a moderate impact.
Affected Systems
Both Firefox and Thunderbird are affected until the release of version 152, which contains a patch. All earlier releases are vulnerable. The vulnerability is present in all platforms where the Gtk widget is enabled, including desktop Windows, macOS, and Linux distributions that ship those browsers.
Risk and Exploitability
The EPSS score is less than 1 %, suggesting a low probability of exploitation in the wild, and the flaw is not listed in CISA's KEV catalog. Attackers would need to lure a user into interacting with a page containing the widget; authentication or elevated privileges are not required. Because the issue is a UI deception flaw, the primary risk is to user integrity and to information disclosed through unintended actions.
OpenCVE Enrichment