CVE-2023-42939 is a logic vulnerability identified in Apple’s iOS and iPadOS platforms that causes private browsing activity to be unexpectedly saved in the App Privacy Report feature. The App Privacy Report is designed to provide users transparency about app behaviors, including network activity and sensor usage, without compromising user privacy. However, due to a logic flaw (classified under CWE-841: Improper Control of a Resource Through its Lifetime), private browsing sessions, which are intended to leave no trace of visited sites, may be recorded in this report. This undermines the confidentiality guarantees of private browsing modes. The vulnerability requires local privileges (AV:L - adjacent or local access) and low attack complexity, but no user interaction is needed. The flaw does not impact data integrity or system availability. Apple resolved this issue by implementing improved checks in iOS 17.1 and iPadOS 17.1, ensuring private browsing data is excluded from the App Privacy Report. No public exploits or active exploitation have been reported. The CVSS v3.1 base score is 3.3, reflecting a low severity primarily due to limited impact scope and exploit complexity. This vulnerability is particularly relevant for users and organizations prioritizing privacy on Apple mobile devices, as it could inadvertently expose browsing habits to anyone with access to the device’s privacy reports.

The primary impact of CVE-2023-42939 is on the confidentiality of user data, specifically the leakage of private browsing activity through the App Privacy Report. For European organizations, this could lead to unintended exposure of sensitive browsing information on corporate or personal devices, potentially violating privacy policies and data protection regulations such as the GDPR. Although the vulnerability does not allow remote exploitation or compromise system integrity or availability, the inadvertent logging of private browsing data could be exploited by insiders or attackers with local access to the device. This risk is heightened in environments where devices are shared or inspected by IT personnel. The impact on organizational reputation and compliance could be significant if private user activity is exposed. However, the lack of known exploits and the requirement for local access reduce the overall risk. Prompt patching mitigates these concerns effectively.

To mitigate CVE-2023-42939, European organizations should: 1) Ensure all Apple iOS and iPadOS devices are updated to version 17.1 or later, where the vulnerability is fixed. 2) Review and restrict access to the App Privacy Report feature, limiting it to trusted users only, to prevent unauthorized viewing of private browsing data. 3) Educate users about the importance of applying updates promptly and maintaining device security to prevent local unauthorized access. 4) Implement mobile device management (MDM) policies that enforce OS updates and control privacy report settings. 5) Regularly audit devices for compliance with privacy policies and monitor for any unusual access to privacy reports. 6) Consider disabling the App Privacy Report feature temporarily if immediate patching is not possible and privacy concerns are critical. These steps go beyond generic advice by focusing on controlling access to the privacy report and leveraging organizational policies to reduce exposure.