CVE-2024-6607 is a vulnerability identified in Mozilla Firefox and Thunderbird prior to version 128 that exploits weaknesses in the browser's pointer lock and UI permission prompt handling. Specifically, the flaw allows an attacker-controlled webpage to prevent the user from exiting pointer lock mode by disabling the Escape key functionality, which normally allows users to regain control from fullscreen or pointer lock states. Additionally, the attacker can overlay customValidity notifications from a <select> HTML element on top of permission prompts. This overlay can visually obscure or mimic legitimate permission dialogs, misleading users into granting permissions such as camera, microphone, or location access unintentionally. The vulnerability stems from improper handling of UI elements and event controls, categorized under CWE-763 (Improper Control of Pointer Lock). The CVSS 3.1 base score of 8.8 reflects a network attack vector with low attack complexity, no privileges required, but requiring user interaction. The impact covers confidentiality, integrity, and availability, as unauthorized permissions can lead to data leakage, unauthorized actions, or denial of service. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. This threat is particularly concerning because it leverages social engineering combined with technical UI manipulation to bypass user consent mechanisms, a critical security boundary in modern browsers.

For European organizations, this vulnerability poses a significant risk of unauthorized access to sensitive resources through deceptive permission granting. Attackers could exploit this flaw to gain access to webcams, microphones, location data, or other sensitive APIs, potentially leading to espionage, data breaches, or disruption of services. Sectors such as finance, government, healthcare, and critical infrastructure that rely heavily on Firefox or Thunderbird for communication and web access are at heightened risk. The ability to prevent pointer lock exit and overlay deceptive UI elements can facilitate sophisticated phishing or social engineering campaigns, increasing the likelihood of successful exploitation. Furthermore, the compromise of user permissions can cascade into broader network intrusions or data exfiltration. Given the widespread use of Firefox across Europe, especially in privacy-conscious countries and organizations, the potential impact is broad and severe if unmitigated.

1. Immediately update Mozilla Firefox and Thunderbird to version 128 or later where this vulnerability is fixed. 2. Implement enterprise-wide patch management policies to ensure timely updates of browsers and email clients. 3. Educate users about the risks of granting permissions and recognizing suspicious or unexpected permission prompts, emphasizing caution with unfamiliar websites. 4. Employ browser security configurations or extensions that restrict or notify users about permission requests, especially for camera, microphone, and location. 5. Use network-level controls to monitor and restrict access to sensitive resources from untrusted or unknown web domains. 6. Conduct phishing awareness training focused on UI manipulation and social engineering techniques. 7. For high-risk environments, consider deploying endpoint security solutions that can detect anomalous browser behaviors or unauthorized permission grants. 8. Monitor security advisories from Mozilla for patches and further guidance.