CVE-2024-10460 is a vulnerability identified in Mozilla Firefox and Thunderbird that allows an attacker to obscure the origin of an external protocol handler prompt by embedding it within a data: URL inside an iframe. External protocol handlers are mechanisms that allow browsers to launch external applications or services (e.g., mailto:, skype:) when triggered by a link. Normally, Firefox displays a prompt to the user indicating the origin of the request to help them make an informed decision about whether to allow the external application to launch. However, due to improper origin display handling, an attacker can craft a malicious webpage that uses a data: URL within an iframe to mask the true origin of the prompt. This can mislead users into trusting the prompt and approving potentially harmful external protocol launches. The vulnerability affects Firefox versions prior to 132, Firefox ESR versions prior to 128.4, and Thunderbird versions prior to 128.4 and 132. The CVSS v3.1 score is 5.4 (medium severity), reflecting that the attack can be performed remotely without privileges and requires user interaction, with limited impact on confidentiality and integrity and no impact on availability. The underlying weakness corresponds to CWE-346, which concerns insufficient verification of origin in security decisions. No public exploits have been reported yet. This vulnerability could be leveraged in phishing or social engineering attacks to trick users into launching malicious external applications, potentially leading to further compromise.

For European organizations, this vulnerability poses a risk primarily through social engineering and phishing campaigns. Attackers can craft deceptive web content that obscures the true source of external protocol prompts, increasing the likelihood that users will inadvertently launch malicious applications or scripts. This can lead to unauthorized actions such as executing malware, initiating unintended communications, or leaking sensitive information. Organizations relying on Firefox and Thunderbird for email and web browsing are at risk, especially those with users who may not be trained to recognize suspicious prompts. The impact on confidentiality and integrity is moderate, as successful exploitation could allow attackers to bypass user consent mechanisms and execute harmful actions. Availability is not affected. Given the widespread use of Firefox and Thunderbird across European enterprises, government agencies, and educational institutions, the threat surface is significant. However, the requirement for user interaction and the absence of known exploits reduce the immediate risk. Nonetheless, targeted attacks against high-value European entities could exploit this vulnerability to gain initial footholds or escalate privileges.

1. Update Firefox to version 132 or later and Thunderbird to version 128.4 or later as soon as patches become available to ensure the vulnerability is remediated. 2. Until updates are applied, implement user awareness training focused on recognizing suspicious external protocol prompts, especially those appearing within embedded frames or unusual contexts. 3. Configure enterprise browser policies to restrict or prompt users more aggressively when external protocol handlers are invoked, reducing the risk of inadvertent approval. 4. Employ web content filtering solutions to block or flag suspicious data: URLs or iframe usage that could be used to exploit this vulnerability. 5. Monitor user reports and security logs for unusual external protocol handler activity that could indicate exploitation attempts. 6. Encourage users to verify the legitimacy of prompts by checking the URL bar and avoiding interaction with unexpected or unsolicited external protocol requests. 7. Consider deploying endpoint protection solutions capable of detecting and blocking malicious external application launches triggered by browsers.