Impact
This vulnerability allows a malicious actor to spoof or alter DOM elements within the browser’s core and HTML handling components. As a result, a user visiting a compromised or malicious web page could see altered page content or navigation, potentially facilitating social engineering, phishing, or other deception attacks. The weakness, classified as CWE‑1021, arises from improper handling of DOM input, enabling such spoofing without user interaction.
Affected Systems
Mozilla products Firefox and Thunderbird are affected. Versions prior to Firefox 152 and Thunderbird 152 contain the bug; the issue was patched in those releases. Any installation of these browsers older than the stated versions is vulnerable.
Risk and Exploitability
The vulnerability carries a CVSS score of 5.4, indicating a moderate impact. The EPSS score is reported as less than 1 %, showing a very low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. Attackers would most likely exploit this via a malicious web page loaded in the browser, inferring that the vector is web‑based; however, the official description does not explicitly state the vector, so this inference is marked as such.
OpenCVE Enrichment