CVE-2025-11720

Published: Oct 14, 2025

Modified: Apr 13, 2026

PUBLISHED

Description

The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.

Vendor	Product	Versions
Mozilla	Firefox	unaffected `144 - <= *`

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1979534

https://bugzilla.mozilla.org/show_bug.cgi?id=1984370

https://www.mozilla.org/security/advisories/mfsa2025-81/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-11720

Description

Affected Products

References