CVE-2026-0887 is a vulnerability identified in Mozilla Firefox and Thunderbird's PDF Viewer component, specifically affecting Firefox versions below 147 and ESR versions below 140.7, as well as corresponding Thunderbird versions. The issue is classified as a clickjacking vulnerability that leads to information disclosure (CWE-497). Clickjacking typically involves tricking a user into clicking on something different from what the user perceives, potentially exposing sensitive information. In this case, the vulnerability allows an attacker to craft malicious web content that can overlay or manipulate the PDF Viewer interface, causing the user to inadvertently reveal information contained within PDF documents rendered by the browser. The CVSS v3.1 base score of 4.3 reflects a medium severity level, with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N indicating that the attack can be launched remotely over the network without privileges but requires user interaction, affects confidentiality only, and does not impact integrity or availability. No known exploits have been reported in the wild, and no patches are linked yet, suggesting either a recent discovery or pending remediation. The vulnerability's exploitation scope is limited to users who open maliciously crafted web pages containing embedded PDFs or manipulated PDF viewer elements. Since the attack requires user interaction, social engineering or phishing techniques may be used to lure victims. The vulnerability's root cause lies in insufficient protection against clickjacking in the PDF Viewer, allowing attackers to bypass UI protections and extract information. This type of vulnerability can be leveraged to gather sensitive data from documents viewed in the browser, potentially exposing confidential information to attackers.

For European organizations, the primary impact of CVE-2026-0887 is the potential unauthorized disclosure of sensitive information contained within PDF documents viewed in Firefox or Thunderbird. This could lead to leakage of confidential business data, intellectual property, or personal information, undermining privacy and compliance with regulations such as GDPR. Although the vulnerability does not affect system integrity or availability, the confidentiality breach can have reputational and legal consequences. Organizations relying heavily on Firefox or Thunderbird for document handling and communication are at risk, especially if users are targeted with phishing campaigns that exploit this vulnerability. The requirement for user interaction and the absence of known exploits reduce the immediate risk but do not eliminate the threat, particularly in high-value sectors such as finance, government, and critical infrastructure. Additionally, the vulnerability could be chained with other exploits to increase impact, though no such cases are currently documented.

To mitigate CVE-2026-0887, European organizations should prioritize updating Mozilla Firefox and Thunderbird to versions 147 and 140.7 ESR or later once patches are released. Until then, organizations can implement strict Content Security Policies (CSP) to prevent unauthorized framing or embedding of PDF Viewer components, reducing clickjacking attack surfaces. Educating users about the risks of clicking on suspicious links or interacting with unknown web content can reduce successful exploitation. Network-level protections such as web filtering to block known malicious URLs and phishing detection tools should be enhanced. Administrators can consider disabling or restricting the use of the built-in PDF Viewer in Firefox via configuration policies, forcing users to download PDFs and open them in dedicated, secure PDF readers with robust security controls. Monitoring for unusual user behavior or data exfiltration attempts related to PDF handling can provide early detection. Finally, staying informed through Mozilla security advisories and applying updates promptly is critical.