CVE-2024-10458 is a vulnerability identified in Mozilla Firefox and Thunderbird that results in a permission leak via the use of HTML embed or object elements. Specifically, this flaw allows permissions granted to a trusted site to be inadvertently passed to an untrusted site embedded within it. This occurs because the browser fails to properly isolate permissions between the parent trusted context and the embedded untrusted content. The vulnerability affects Firefox versions prior to 132, Firefox ESR versions prior to 128.4 and 115.17, and Thunderbird versions prior to 128.4 and 132. The issue is classified under CWE-281, which relates to improper authorization. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The attack vector is network-based, requiring no privileges but user interaction, and the scope remains unchanged. The primary impact is on confidentiality, as unauthorized sites could gain access to permissions or data they should not have. There is no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability could be leveraged in targeted phishing or drive-by attacks where a user visits a malicious site embedding content from a trusted site. The flaw highlights the importance of strict permission boundaries in browser security models, especially concerning embedded content. Mozilla has reserved the CVE and is expected to release patches in upcoming updates.

For European organizations, this vulnerability poses a confidentiality risk by potentially allowing untrusted web content to access permissions or data intended only for trusted sites. This could lead to unauthorized data exposure, especially in environments where sensitive information is accessed via Firefox or Thunderbird, such as government agencies, financial institutions, and healthcare providers. The requirement for user interaction means phishing or social engineering could be used to trigger exploitation. While integrity and availability are not affected, the leak of permissions could facilitate further attacks or data breaches. Organizations relying heavily on Firefox or Thunderbird for email and web access should consider this a significant risk, particularly if they have workflows involving embedded third-party content. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once patches are released. Failure to update promptly could expose European entities to targeted espionage or data theft campaigns.

1. Immediately plan to update Mozilla Firefox to version 132 or later and Thunderbird to version 132 or later once patches are officially released. 2. Until patches are available, restrict or monitor the use of embed and object HTML elements in internal web applications and email content, especially from untrusted sources. 3. Implement content security policies (CSP) that limit embedding of external content and enforce strict origin isolation. 4. Educate users about the risks of interacting with suspicious links or embedded content, emphasizing caution with unknown or untrusted sites. 5. Use browser security features such as site isolation and sandboxing to minimize cross-origin permission leaks. 6. Monitor network traffic and logs for unusual activity that could indicate exploitation attempts involving embedded content. 7. Coordinate with IT and security teams to prioritize patch management for browsers and email clients across the organization. 8. Consider deploying endpoint protection solutions that can detect anomalous browser behavior related to permission leaks.