CVE-2023-23602 is a vulnerability identified in Mozilla Firefox and Thunderbird that arises from improper enforcement of the Content Security Policy (CSP) connect-src directive within WebWorkers. Specifically, when a WebSocket is created inside a WebWorker, the security check intended to restrict connections to allowed origins is mishandled, resulting in the CSP connect-src header being ignored. This allows WebWorkers to initiate WebSocket connections to origins that should be blocked by CSP, potentially enabling malicious scripts to communicate with unauthorized external servers. The vulnerability affects Firefox versions earlier than 109, Firefox ESR versions earlier than 102.7, and Thunderbird versions earlier than 102.7. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with an attack vector of network, low attack complexity, no privileges required, but requiring user interaction. The impact primarily concerns integrity, as unauthorized connections could lead to data manipulation or leakage. No known exploits have been reported in the wild as of the publication date. The root cause relates to CWE-754, indicating improper check for unusual or exceptional conditions. The vulnerability was publicly disclosed on June 2, 2023, and patches are expected to be available in the updated versions mentioned. This flaw highlights the importance of correctly enforcing CSP policies across all browser contexts, including WebWorkers, to prevent circumvention of security controls.

For European organizations, this vulnerability poses a risk to the integrity of web applications and communications that rely on Firefox or Thunderbird clients. Attackers could exploit this flaw to bypass CSP restrictions and establish unauthorized WebSocket connections from WebWorkers, potentially leading to data exfiltration, unauthorized command and control communications, or injection of malicious payloads. This could compromise sensitive information or disrupt business operations, especially in sectors handling confidential data such as finance, healthcare, and government. Since Firefox and Thunderbird have significant user bases in Europe, particularly in privacy-conscious countries, the risk of targeted exploitation exists. The vulnerability does not directly impact confidentiality or availability but undermines the integrity of client-side security policies, which could be leveraged as part of a broader attack chain. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in phishing or social engineering scenarios common in European cyber threat landscapes.

European organizations should prioritize updating Firefox to version 109 or later, and Thunderbird to version 102.7 or later, as these versions contain the necessary patches to address CVE-2023-23602. Until updates are applied, organizations should consider implementing strict network-level controls to monitor and restrict unauthorized WebSocket connections, especially those originating from client devices. Web application developers should review and reinforce CSP policies, ensuring comprehensive coverage and testing within all browser contexts, including WebWorkers. Security teams should educate users about the risks of interacting with untrusted web content to reduce the likelihood of exploitation requiring user interaction. Additionally, deploying endpoint detection and response (EDR) solutions capable of monitoring unusual WebSocket activity can help detect potential exploitation attempts. Regular vulnerability scanning and patch management processes should be enforced to maintain up-to-date software versions.