Skip to content

Zen Browser - Missing Fullscreen Security Notification Allows Origin Spoofing

High
mr-cheffy published GHSA-vjfv-85qf-v25c May 13, 2026

Package

No package listed

Affected versions

<= 1.19.12b

Patched versions

>= 1.19.13b

Description

Summary
The browser fails to provide a persistent or clearly visible security notification when a webpage enters fullscreen mode. An attacker can abuse this behavior by opening a malicious website that visually imitates a legitimate domain while hiding the real browser UI and origin information. This becomes especially dangerous when combined with existing long-domain URL eliding spoofing issue, allowing attackers to completely hide the actual malicious domain and convincingly spoof trusted websites. Since fullscreen mode removes the visible address bar, users are unable to verify the authenticity of the website, leading to realistic phishing and credential theft scenarios.

Steps to Reproduce

  1. Open a POC webpage https://summa-test.vercel.app/fullscreen.html
  2. Click the input fields
  3. Observe that:
    The browser enters fullscreen mode without a sufficiently persistent security/origin notification.
    The address bar and browser origin indicators are hidden.
    The malicious page can fully imitate a trusted website UI.
  4. Combine this with a long-domain URL eliding spoofing issue to further conceal the actual malicious origin.
  5. Victims may believe they are interacting with the legitimate website and enter sensitive credentials.

POC Video: https://drive.google.com/file/d/1im6MH2C1SSVNLJ1JFBJX6SUYRPIhz3FR/view?usp=sharing

Security Impact
This issue enables realistic fullscreen phishing and origin spoofing attacks by hiding trusted browser security indicators. Attackers can create highly convincing fake login pages, browser dialogs, or payment portals while concealing the actual malicious domain from the victim. When combined with existing URL eliding spoofing behaviors, this can lead to complete website impersonation, credential theft, session hijacking, and other phishing-related attacks. Since origin visibility is a core browser security boundary, the absence of a strong fullscreen security indicator significantly increases the risk of user deception.

Actual Behavior:
The browser hides origin and security UI in fullscreen mode without providing a sufficiently persistent and visible warning/notification to the user.

Expected Behavior:
The browser should display a persistent, non-spoofable security indicator showing the active origin/domain while in fullscreen mode, preventing malicious sites from concealing their identity.

References
https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
https://issues.chromium.org/issues/40068607
https://issues.chromium.org/issues/40063041

Severity

High

CVE ID

CVE-2026-45150

Weaknesses

User Interface (UI) Misrepresentation of Critical Information

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. Learn more on MITRE.

Credits