Skip to main content
CVE Vulnerability Database

CVE-2025-5267: Mozilla Firefox Clickjacking Vulnerability

CVE-2025-5267 is a clickjacking vulnerability in Mozilla Firefox that could trick users into leaking saved payment card details to malicious pages. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-5267 Overview

CVE-2025-5267 is a clickjacking vulnerability in Mozilla Firefox and Thunderbird that could allow a malicious page to trick users into leaking saved payment card details. The flaw is classified under CWE-1021: Improper Restriction of Rendered UI Layers or Frames. Mozilla addressed the issue in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. Exploitation requires user interaction on an attacker-controlled page, but the attack surface is broad because the vulnerable feature is enabled by default in autofill-enabled profiles.

Critical Impact

A remote attacker can craft a web page that overlays UI elements to trick users into revealing stored payment card information saved in the browser's autofill feature.

Affected Products

  • Mozilla Firefox versions prior to 139
  • Mozilla Firefox ESR versions prior to 128.11
  • Mozilla Thunderbird versions prior to 139 and 128.11

Discovery Timeline

  • 2025-05-27 - CVE-2025-5267 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-5267

Vulnerability Analysis

The vulnerability is a clickjacking flaw affecting Firefox's saved payment card autofill functionality. Clickjacking, also known as UI redress attack, allows an attacker to layer transparent or opaque UI elements over legitimate browser controls. When a user interacts with what appears to be a benign page element, they instead trigger an action on a hidden element that discloses sensitive data. In this case, the hidden element is the payment card autofill dropdown, which populates form fields with stored card numbers, expiration dates, and cardholder names.

Root Cause

The root cause is insufficient restriction of how the payment autofill UI can be framed or overlaid by attacker-controlled content. Firefox did not adequately isolate the sensitive autofill dropdown from cross-origin visual manipulation, allowing framing or positioning tricks to obscure the true target of a click.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker hosts a malicious page containing a hidden or disguised payment form. The page uses CSS positioning, opacity, or iframe layering to hide the form beneath decoy UI. When the user clicks the decoy, the browser's autofill silently populates the hidden fields with saved card data, which the attacker then exfiltrates. No credentials or elevated privileges are required. See the Mozilla Bug Report #1954137 and Mozilla Security Advisory MFSA-2025-42 for additional technical details.

Detection Methods for CVE-2025-5267

Indicators of Compromise

  • Outbound HTTP POST requests from browser sessions containing payment card data patterns (PAN, CVV, expiration) to non-merchant domains
  • Firefox or Thunderbird process versions running below 139 or ESR 128.11 in endpoint inventory
  • User reports of unauthorized transactions following visits to untrusted sites

Detection Strategies

  • Inventory endpoints for vulnerable Firefox and Thunderbird versions using software asset management tooling
  • Monitor web proxy logs for browser POST requests with credit card regex patterns directed at low-reputation domains
  • Correlate browser telemetry with DLP alerts for payment card data exfiltration attempts

Monitoring Recommendations

  • Track Firefox and Thunderbird version compliance across managed endpoints and flag installations below the patched builds
  • Alert on user navigation to newly registered or low-reputation domains that render payment form fields
  • Review browser update logs to confirm timely deployment of Mozilla security releases

How to Mitigate CVE-2025-5267

Immediate Actions Required

  • Upgrade Firefox to version 139 or later and Firefox ESR to 128.11 or later on all endpoints
  • Upgrade Thunderbird to version 139 or 128.11 on all endpoints
  • Advise users to disable saved payment card autofill in browser settings until patching is complete
  • Deploy patched Debian packages per the Debian LTS Announcement for Linux endpoints

Patch Information

Mozilla released fixes in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. Refer to Mozilla Security Advisory MFSA-2025-42 and Mozilla Security Advisory MFSA-2025-44 for the full advisory content. Debian LTS users should apply updates from the Debian LTS Announcement #46.

Workarounds

  • Disable payment card autofill via about:preferences#privacy under Forms and Autofill until the browser is updated
  • Remove saved payment cards from the Firefox profile to eliminate the data at risk
  • Enforce enterprise browser policy to disable extensions.formautofill.creditCards.enabled via Firefox policies.json
bash
# Firefox enterprise policy to disable credit card autofill
# /etc/firefox/policies/policies.json
{
  "policies": {
    "Preferences": {
      "extensions.formautofill.creditCards.enabled": {
        "Value": false,
        "Status": "locked"
      }
    }
  }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.