CVE CyberSecurity Database News

CVE-2025-1018 - How Rapid Fullscreen Re-Requests Can Spoof Users in Firefox and Thunderbird

Poster -

Published: June 2024 <br>Impacted Versions: Firefox < 135, Thunderbird < 135 <br>Severity: Medium <br>Type: Spoofing/UX Manipulation


Web browsers have long tried to balance rich features like fullscreen mode with keeping users safe from misleading or malicious web pages. One central security control is the "fullscreen notification": a persistent visual warning at the top of the screen when a site enters fullscreen, reminding you that a website (not the browser or your OS) controls what you see.

But what if that notification didn’t stay up as intended? *CVE-2025-1018* describes exactly such a scenario. In affected versions of Mozilla Firefox and Thunderbird, the fullscreen notification could disappear immediately if the site quickly re-requested fullscreen access. Attackers could abuse this for convincing spoofing attacks.

Let’s break down how this works, why it's risky, and how you can test it yourself.

What is the Fullscreen Notification?

Whenever a site wants to take over the entire screen (say, for a video or a presentation), browsers show a notification bar at the top, like this:

> “This page is now full screen. Press ESC or F11 to exit.”

This bar is a vital protection—it keeps shady sites from hiding your OS chrome and faking software updates, password popups, or other tricks.

The Problem

Due to a bug in Firefox and Thunderbird before version 135, if a web page quickly exited fullscreen and then re-entered it, the notification would disappear almost immediately—exactly what the notification is supposed to prevent.

A malicious site could do this repeatedly (within milliseconds), giving users barely a second to see the warning. After that, the site could imitate system dialogs, browser security prompts, or ANY trusted content, because the warning bar was gone.

Proof-of-Concept Code

Here's a minimal demo in JavaScript. This loops a fake "video" to keep requesting fullscreen, denying the notification a chance to catch up:

<!DOCTYPE html>
<html>
<head>
<title>CVE-2025-1018 Demo</title>
</head>
<body>
<button id="fsBtn">Enter Fullscreen</button>
<script>
const btn = document.getElementById('fsBtn');

btn.onclick = async () => {
  // Get any element to go fullscreen (here just the button)
  while (true) {
    await document.body.requestFullscreen();
    // Immediately exit and re-enter fullscreen
    await document.exitFullscreen();
    // Quick cycle—may need tuning per browser/hardware
    await new Promise(resolve => setTimeout(resolve, 20));
  }
}
</script>
<p>Click button to start rapid fullscreen cycling. 
 In vulnerable versions, the notification will flash and disappear.</p>
</body>
</html>

*Warning:* Don’t use this on other people’s machines. This is for educational purposes only and may annoy your browser!

What Attackers Could Do

- Spoof OS interfaces: A page could make itself look perfectly like your desktop, a Windows login screen, or a system password prompt.
- Steal credentials: Combined with phishing, users might be tricked to enter passwords or other info.

Fake browser dialogs: Such as security warnings or confirmation popups.

- Hide warning indicators: The whole point of persistent fullscreen warnings is to make you aware you’re in browser fullscreen. If it goes away, attackers gain a big advantage.

Download the latest versions:

- Firefox Download
- Thunderbird Download

Be cautious of full screen requests.

If a browser page goes fullscreen without a clear reason (especially if you see OS/system prompts you weren’t expecting), try pressing ESC or ALT+TAB to escape.

References

- Mozilla Security Advisory for CVE-2025-1018
- Fullscreen API (MDN)
- CVE-2025-1018 Entry

Summary Table

| CVE | Vendor | Affected Versions | Patched In | Attack Vector | Fix |
|--------------|----------|-----------------------|--------------------|-----------------|-------------|
| CVE-2025-1018| Mozilla | Firefox, Thunderbird < 135| Firefox/Thunderbird 135 | Web/javasript | Update browser |

Final Notes

CVE-2025-1018 underscores the importance of small-but-critical UX security features in browsers. If you haven’t updated in a while, now’s the time! And as always, treat unprompted fullscreen requests (especially with disappearing warnings) as suspicious.

Timeline

Published on: 02/04/2025 14:15:32 UTC
Last modified on: 02/06/2025 19:40:01 UTC