CVE-2026-45150 in desktop
Summary
by MITRE • 07/15/2026
Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in Zen Browser represents a critical user interface security flaw that undermines the browser's ability to maintain transparent and trustworthy navigation experiences. This issue stems from the browser's failure to implement persistent security notifications during fullscreen mode transitions, creating an exploitable gap in user awareness and protection mechanisms. The absence of clear visual indicators when pages enter fullscreen state allows malicious actors to manipulate the browser interface in ways that compromise user trust and security.
The technical implementation flaw lies in Zen Browser's insufficient handling of fullscreen mode transitions within its user interface framework. When a webpage requests fullscreen access, the browser should maintain visible security indicators that clearly display the actual origin information and browser controls. However, prior to version 1.19.13b, the browser failed to preserve these critical security elements during fullscreen operations, enabling attackers to create convincing phishing interfaces that mask the true source of web content.
This vulnerability creates a significant operational risk by enabling sophisticated phishing attacks that exploit the browser's interface design limitations. Attackers can leverage this flaw to craft malicious pages that appear legitimate while operating in fullscreen mode, effectively hiding the real browser UI and origin information. The combination of fullscreen mode with long-domain URL elision techniques allows threat actors to create deceptive interfaces that closely mimic trusted websites, making it extremely difficult for users to distinguish between genuine and malicious content.
The security implications extend beyond simple phishing scenarios to encompass credential theft and broader information disclosure risks. Users operating under the false assumption that they are interacting with legitimate websites may unknowingly enter sensitive information into attacker-controlled interfaces. This vulnerability directly impacts the browser's security posture by creating an attack surface where users' trust assumptions can be manipulated through interface deception techniques.
The mitigation implemented in version 1.19.13b addresses this issue by introducing persistent security notifications that remain visible during fullscreen transitions, ensuring users maintain awareness of their actual browsing context. This fix aligns with established security principles and follows industry best practices for maintaining user awareness during potentially dangerous browser operations. The solution demonstrates proper adherence to security design principles that prioritize user transparency and clear communication of security status information.
This vulnerability type relates to CWE-602 client-side cross-site scripting and CWE-352 cross-site request forgery categories, as it enables attackers to manipulate the browser interface to deceive users into performing unintended actions. The implementation addresses ATT&CK technique T1566.001 credential access through deceptive UI manipulation, preventing adversaries from leveraging user trust to compromise security. The fix represents a fundamental improvement in browser security by ensuring that user interface elements maintain their security-relevant properties regardless of browser state changes, particularly during fullscreen operations where user attention may be diverted from normal security indicators.
The remediation approach adopted by Zen Browser developers demonstrates proper security engineering practices by addressing the root cause rather than implementing superficial fixes. The solution ensures that security notifications remain persistent and visible across all browser states, including fullscreen mode, thereby maintaining user awareness of their actual browsing context. This approach aligns with security standards that require continuous security communication to users regardless of application state changes.