CVE-2023-23603 is a vulnerability identified in Mozilla Firefox and Thunderbird where the regular expressions used to sanitize style directives in console.log calls failed to properly filter out external URLs. This flaw allows attackers to craft malicious web content that, when logged to the console, can bypass the intended filtering mechanisms and potentially exfiltrate sensitive data from the browser environment. The vulnerability affects Firefox versions prior to 109, Firefox ESR versions prior to 102.7, and Thunderbird versions prior to 102.7. The core technical issue relates to CWE-770, which involves allocation of resources without limits or throttling, here manifesting as insufficient validation of console logging inputs. The CVSS 3.1 base score is 6.5, reflecting a medium severity with a vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, and no impact on integrity or availability. Exploitation requires a user to visit a malicious site or interact with crafted content that triggers console.log with malicious style directives containing external URLs. While no exploits are currently known in the wild, the vulnerability poses a risk of data leakage from affected browsers. The issue was publicly disclosed on June 2, 2023, and patches have been released in Firefox 109 and ESR 102.7 and Thunderbird 102.7 to address the problem.

For European organizations, this vulnerability primarily threatens the confidentiality of sensitive information accessible through the browser or email client environments. Attackers could potentially exfiltrate data such as session tokens, user input, or other sensitive content by exploiting the flawed console.log filtering. This risk is heightened in environments where users frequently access untrusted or malicious web content, such as public-facing web applications or email clients processing HTML content. Although the vulnerability does not affect integrity or availability, the confidentiality breach could lead to further attacks, including account takeover or data theft. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance and reputational risks if exploited. The requirement for user interaction limits mass exploitation but targeted phishing or watering hole attacks remain plausible. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

The primary mitigation is to upgrade affected Mozilla products to the fixed versions: Firefox 109 or later, Firefox ESR 102.7 or later, and Thunderbird 102.7 or later. Organizations should enforce automatic updates or centrally manage patch deployment to ensure timely remediation. Additionally, implementing strict Content Security Policies (CSP) can reduce the risk of malicious scripts executing or logging harmful content. Security teams should monitor browser console usage and audit logs for unusual activity that might indicate exploitation attempts. User awareness training to recognize phishing and suspicious web content can reduce the likelihood of user interaction triggering the vulnerability. Network-level protections such as web filtering and sandboxing untrusted web content can further mitigate risk. Finally, organizations should review and limit browser extensions or plugins that might increase exposure to malicious console.log calls.