CVE-2025-1019 - Hiding the Fullscreen Notification in Firefox and Thunderbird Leads to Spoofing Risks

A new vulnerability, CVE-2025-1019, has been discovered in Mozilla Firefox and Thunderbird versions before 135. This flaw allows attackers to trick users by manipulating the *z-order* of browser windows, effectively hiding the fullscreen notification. In simple terms, websites or emails could make it look like you're on a trusted page, while actually controlling what you see, enabling powerful spoofing attacks.

This post will explain exactly what this vulnerability means, how it works, show you sample code snippets, discuss the potential risks, and point you to the original references for further reading.

What is the Z-Order, and Why Does it Matter?

The *z-order* in computer graphics defines which windows or elements appear in front of others. It’s like layers of paper stacked; the top-most layer is visible above the others.

Browsers use z-order to show important messages. When a page goes fullscreen, a notification bar usually appears, telling you it's in fullscreen mode and giving you a way to exit.

If an attacker can mess with the z-order, they might hide this bar under another window or element—leaving you in fullscreen with no clue. This is a problem, because in fullscreen mode, websites can imitate your desktop or other trusted login pages, and you might not suspect a thing.

Thunderbird: All versions before 135

If you’re using a version before 135, you’re at risk and should update ASAP.

Here’s a simple code snippet to show how a malicious website might use this bug

<!DOCTYPE html>
<html>
  <body>
    <button id="go-fullscreen">Go Fullscreen</button>
    <script>
      document.getElementById('go-fullscreen').onclick = () => {
        document.body.requestFullscreen();
        // Open a new window that overlays the fullscreen notification bar
        window.open('spoof.html', 'spoof', 'width=500,height=100,left=,top=');
      };
    </script>
  </body>
</html>

spoof.html could contain any content, like a fake login page or a fake desktop background. The new window can be positioned to cover the fullscreen notification or even the entire screen.

Risks and Impact

- Spoofing: Attackers can create fake pages that appear totally legitimate by hiding the fullscreen warning bar. This can trick users into entering passwords, credit card numbers, or other sensitive data.
- Phishing: Since the warning is gone, users have no indication they’ve entered fullscreen—making phishing attacks much more effective.
- Social Engineering: The attacker can mimic browser or operating system dialogs to guide users into dangerous actions.

Be Skeptical: If a site suddenly requests fullscreen, be cautious. Try pressing Esc to exit.

- Browser Controls: Don’t trust sites that urge you to disable browser security or perform strange clicks.

References and Further Reading

- Mozilla Foundation Security Advisory 2025-05
- CVE-2025-1019 entry at NVD (National Vulnerability Database)
- How Fullscreen API Works (MDN)

Conclusion

CVE-2025-1019 is a serious bug because it undermines a fundamental safety feature of modern browsers. If attackers can hide fullscreen notifications, they can make dangerous spoofing attacks much more convincing. Always keep your browsers and mail clients up to date, and be aware of suspicious fullscreen requests.

Timeline

Published on: 02/04/2025 14:15:32 UTC
Last modified on: 02/06/2025 19:40:29 UTC