VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 11, 2014· Updated May 6, 2026

CVE-2014-1539

CVE-2014-1539

Description

On OS X, Firefox before 30 and Thunderbird before 24.6 allow cursor invisibility after Flash interaction, enabling clickjacking via fake cursor images.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

On OS X, Firefox before 30 and Thunderbird before 24.6 allow cursor invisibility after Flash interaction, enabling clickjacking via fake cursor images.

Vulnerability

In Mozilla Firefox before version 30.0 and Thunderbird through version 24.6 on OS X, the cursor can become invisible after interaction with a Flash object and a DIV element. The browser fails to ensure cursor visibility following Flash use, allowing a remote attacker to manipulate the cursor appearance. This issue is specific to OS X and does not affect Windows or Linux systems [3].

Exploitation

An attacker can craft a web page containing a Flash object and a DIV element. By using JavaScript, the attacker creates a fake cursor image that mimics the real cursor. The user must first interact with the Flash object (e.g., click on it), then move the cursor over the DIV, where it becomes invisible. The fake cursor image can then be repositioned to trick the user into clicking on a different element than intended. No authentication is required, but user interaction with the Flash object is necessary [2][3].

Impact

Successful exploitation allows clickjacking attacks: the user perceives they are clicking on one element (the fake cursor) but actually interacts with a different, potentially hidden element. This can lead to unintended actions such as changing security settings, making purchases, or other malicious operations. The impact is high, as it compromises the integrity of user interactions and can lead to further compromise [3].

Mitigation

Firefox 30 and later versions are fixed; users should upgrade to at least Firefox 30 [3]. Thunderbird users should upgrade to a version beyond 24.6; the advisory indicates the fix is included in later releases (e.g., Thunderbird 31.5.0 in Gentoo) [1]. No workarounds are available. This vulnerability is specific to OS X, and users on other platforms are not affected [3].

References
  1. Multiple vulnerabilities (GLSA 201504-01) — Gentoo security
  2. 995603 - (CVE-2014-1539) Cursor can be totally invisible using flash object and div
  3. Clickjacking through cursor invisibility after Flash interaction

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14
  • Mozilla Corporation/Firefox2 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=29.0.1
    • (no CPE)range: <30.0
  • Mozilla Corporation/Thunderbird10 versions
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <=24.6
    • cpe:2.3:a:mozilla:thunderbird:24.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:24.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:24.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:24.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:24.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:24.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:24.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:24.5:*:*:*:*:*:*:*
    • (no CPE)range: <=24.6
  • osv-coords2 versions
    pkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
    < 128.5.1-1.1+ 1 more
    • (no CPE)range: < 128.5.1-1.1
    • (no CPE)range: < 50.1.0-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.