CVE-2025-11716

Summary

Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefox144 <= *unaffected
MozillaThunderbird144 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References