Security researcher Juho Nurminen reported that on Firefox for Android, when the addressbar has been scrolled off screen, an attacker can prevent it from rendering again through the use of script interacting DOM events. This allows an attacker to present a fake addressbar to the user, possibly leading to successful phishing attacks.