CVE-2025-11717 Overview
CVE-2025-11717 is an Information Exposure vulnerability affecting Mozilla Firefox on Android devices. When users switch between Android applications using the card carousel (recent apps view), Firefox versions prior to 144 would display the password edit screen as the app preview thumbnail. This behavior could potentially expose sensitive password-related information to nearby observers or through screen capture mechanisms. Firefox 144 addresses this issue by displaying a black screen as the card image when a password-related screen was the last one being used.
Critical Impact
Password-related screens could be visible in the Android app switcher carousel, potentially exposing sensitive authentication data to shoulder surfing attacks or unauthorized screen captures in Firefox versions prior to 144.
Affected Products
- Mozilla Firefox < 144 (Android)
- Google Android (as the host operating system)
Discovery Timeline
- 2025-10-14 - CVE-2025-11717 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2025-11717
Vulnerability Analysis
This vulnerability represents an Information Exposure flaw (CWE-200) in how Mozilla Firefox handles secure screen visibility within the Android operating system's multitasking interface. The Android app carousel feature displays thumbnail previews of recently used applications when users switch between apps. Prior to Firefox 144, the browser did not properly obscure sensitive password-related screens when these thumbnails were generated.
The security implication arises because any sensitive information visible on the password edit screen could remain visible in the app switcher, creating an opportunity for information disclosure through visual observation or screen recording. This is particularly concerning in shared environments or situations where an attacker could view or capture the device screen.
Root Cause
The root cause of this vulnerability lies in Firefox's failure to implement proper screen masking when the application's activity involves password-related screens. Android applications can flag sensitive views to prevent them from appearing in task switchers or screenshots using the FLAG_SECURE window flag. Prior to version 144, Firefox did not consistently apply this protection to password-related screens, allowing the Android system to capture and display these screens in the recent apps carousel.
Attack Vector
The attack vector for this vulnerability is classified as network-based, though the practical exploitation requires physical proximity or access to the device screen. An attacker could exploit this vulnerability through:
- Shoulder surfing - Observing the victim's device screen when they switch between apps
- Screen recording/casting - If the device is being recorded or cast to another display
- Compromised screenshot tools - Malicious applications that capture the app carousel view
The vulnerability does not require any user interaction beyond normal device usage, as the password screen exposure occurs automatically when switching apps.
Detection Methods for CVE-2025-11717
Indicators of Compromise
- Users report seeing password fields visible in the Android app switcher when using Firefox versions below 144
- Screenshot or screen recording captures showing Firefox password screens in the task carousel
- Security audit findings indicating improper FLAG_SECURE implementation
Detection Strategies
- Monitor installed Firefox versions across Android devices in the enterprise environment using mobile device management (MDM) solutions
- Implement application version compliance policies that flag Firefox installations below version 144
- Review mobile device security configurations to identify vulnerable browser installations
Monitoring Recommendations
- Deploy MDM solutions to track Firefox version compliance across managed Android devices
- Enable application inventory reporting to identify outdated Firefox installations
- Implement automated alerting for devices running vulnerable Firefox versions
How to Mitigate CVE-2025-11717
Immediate Actions Required
- Update Mozilla Firefox on Android devices to version 144 or later immediately
- Review mobile device management policies to enforce minimum Firefox version requirements
- Educate users about the risks of using outdated browser versions on mobile devices
- Consider temporarily restricting password manager functionality on unpatched devices
Patch Information
Mozilla has addressed this vulnerability in Firefox 144. The fix ensures that password-related screens now display a black screen in the Android app carousel, preventing sensitive information from being visible. Users should update to Firefox 144 or later through the Google Play Store or their organization's app distribution mechanism. For detailed information, refer to Mozilla Security Advisory MFSA-2025-81 and Mozilla Bug Report #1872601.
Workarounds
- Manually close Firefox before switching to other apps when on password-related screens
- Avoid accessing password management features in Firefox on shared or monitored devices until the update is applied
- Use alternative password management solutions that properly implement screen security flags
- Enable device-level screen security features where available to limit screenshot and recording capabilities
# Verify Firefox version on Android via ADB
adb shell dumpsys package org.mozilla.firefox | grep versionName
# Expected output for patched version: versionName=144.0 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
