Login Sign Up

CVE-2025-1018

5.3 MEDIUM

📋 TL;DR

This vulnerability allows attackers to hide the fullscreen notification in Firefox and Thunderbird by rapidly requesting fullscreen mode, enabling potential UI spoofing attacks. It affects users running Firefox versions below 135 and Thunderbird versions below 135.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 135, Thunderbird < 135
Operating Systems: Windows, Linux, macOS, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Requires JavaScript execution in browser context.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could create convincing phishing pages that hide browser UI elements, tricking users into entering sensitive information or downloading malware.

🟠

Likely Case

Limited phishing attempts that might trick some users into clicking malicious elements, but requires user interaction and specific timing.

🟢

If Mitigated

With proper browser security settings and user awareness, impact is minimal as it requires user interaction and doesn't bypass core security controls.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires JavaScript execution and specific timing of fullscreen requests. No known public exploits at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 135, Thunderbird 135

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-07/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Browser will check for updates and install if available. 4. Restart browser when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution

about:config → javascript.enabled = false

Use Enhanced Tracking Protection

all

Blocks some malicious scripts

Settings → Privacy & Security → Enhanced Tracking Protection → Strict

🧯 If You Can't Patch

  • Use alternative browsers for sensitive activities
  • Implement web filtering to block known malicious sites

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird menu

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is 135 or higher in About dialog

📡 Detection & Monitoring

Log Indicators:

  • Multiple rapid fullscreen API calls in short timeframe
  • Unusual JavaScript behavior patterns

Network Indicators:

  • Suspicious domains hosting JavaScript that manipulates fullscreen API

SIEM Query:

source="browser_logs" AND (event="fullscreen_request" count>5 within 1s)

📊 Metadata

CVE ID: CVE-2025-1018
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-1021
EPSS Score: 0.11% exploit probability (29.4th percentile)
Published: February 4, 2025
Last Updated: February 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1018, you might also want to check these:

CVE-2021-23274 9.8

This CVE describes a clickjacking vulnerability in TIBCO API Exchange Gateway's Config UI component ...

Same vulnerability type (CWE-1021)
CVE-2021-21132 9.6

This vulnerability in Chrome DevTools allowed malicious Chrome extensions to escape the browser's se...

Same vulnerability type (CWE-1021)
CVE-2024-10004 9.1

This vulnerability in Firefox for iOS causes the browser to incorrectly display an HTTPS padlock ico...

Same vulnerability type (CWE-1021)