CVE-2023-23600 is a vulnerability identified in Mozilla Firefox for Android versions earlier than 109. The issue arises from the way Firefox stores per-origin notification permissions without properly isolating them by browsing context. Browsing context refers to the environment or session in which a user interacts with a website, such as different tabs, private browsing windows, or separate sessions. Because the permission storage mechanism did not account for these contexts, a permission granted in one context could be reused or triggered in another, potentially allowing notifications to appear unexpectedly or in inappropriate contexts. This could lead to user confusion, phishing attempts, or social engineering attacks by displaying notifications that appear legitimate but originate from a different browsing session. The vulnerability is limited to Firefox on Android devices; desktop and other operating system versions are unaffected. There are no known exploits reported in the wild, and Mozilla has published the vulnerability without an assigned CVSS score. The root cause is a design flaw in permission management related to notification APIs and context isolation. While the vulnerability does not directly enable remote code execution or data exfiltration, it undermines user trust and the integrity of notification permissions, which could be leveraged in targeted attacks to deceive users. The fix involves updating Firefox for Android to version 109 or later, where the permission storage mechanism correctly isolates permissions by browsing context, preventing cross-session notification abuse.

For European organizations, the primary impact of CVE-2023-23600 is on user privacy and trust rather than direct compromise of sensitive data or systems. Organizations relying on Firefox for Android for internal communications or customer interactions may face risks of users receiving misleading notifications, which could be exploited for phishing or social engineering. This could lead to inadvertent disclosure of credentials or installation of malicious applications if users are tricked by spoofed notifications. The impact on operational availability or data integrity is minimal. However, sectors with high mobile workforce usage, such as finance, healthcare, and government, could see increased risk if attackers leverage this vulnerability to deliver deceptive notifications. Since the vulnerability is limited to Android devices, organizations with significant Android Firefox user bases are more exposed. The lack of known exploits reduces immediate risk, but the potential for abuse in targeted attacks necessitates prompt remediation. Failure to address this vulnerability could also affect compliance with privacy regulations like GDPR if user consent mechanisms are undermined.

The most effective mitigation is to update Firefox for Android to version 109 or later, where the vulnerability has been addressed. Organizations should enforce mobile device management (MDM) policies that mandate timely updates of browser applications on employee devices. Additionally, users should be educated to review and manage notification permissions carefully, revoking permissions from untrusted or unnecessary websites. Implementing browser configuration policies that restrict notification permissions or prompt users before granting them can reduce exposure. Monitoring for unusual notification activity or reports of suspicious notifications can help detect exploitation attempts. For organizations providing web services, ensuring that notification requests are legitimate and educating users about phishing risks related to notifications is important. Finally, maintaining an inventory of devices and browsers in use will help prioritize patch deployment and risk assessment.