CVE-2026-8964

Vulnerability

A spoofing issue exists in the Popup Blocker component of Firefox and Thunderbird [1]. The vulnerability affects versions prior to Firefox 151 and Thunderbird 151 [1][2]. The specific conditions required to trigger the spoofing are not disclosed in the available references, but the component is responsible for handling pop-up windows, suggesting the flaw could be exploited to present misleading content to the user.

Exploitation

An attacker likely requires the ability to serve web content to a target user, for example by hosting a malicious website or injecting content into a legitimate page [1][2]. The exploitation steps involve the user visiting a specially crafted page that triggers the Popup Blocker in a way that the spoofing occurs. The exact sequence of steps is not detailed in the public references.

Impact

Successful exploitation allows an attacker to spoof content, potentially tricking the user into trusting a fake dialog, address bar, or other UI element [1]. This can lead to phishing attacks or other social engineering, undermining the user's ability to distinguish legitimate browser chrome from attacker-controlled content. The vulnerability is rated high severity with a CVSS v3 score of 7.5.

Mitigation

The vulnerability is fixed in Firefox 151 and Thunderbird 151, both released on May 19, 2026 [1][2]. Users should update to these versions or later. For Thunderbird, the advisory notes that scripting is disabled when reading mail, so exploitation through email is unlikely, but browser-like contexts may be at risk [2]. No known public proof-of-concept or KEV listing is mentioned in the references.