Impact
This vulnerability enables an attacker to read sensitive information from the sandboxed environment and potentially escape the sandbox, exposing data that otherwise would be protected. The weakness is rooted in information exposure (CWE‑200), unnecessary privilege escalation via sandbox escape (CWE‑688), and improper handling of privileged data that can lead to accidental disclosure (CWE‑243). As a result, confidentiality of user data and the integrity of the sandboxed process may be compromised.
Affected Systems
Firefox browser versions earlier than 152 (including ESR 140.12) and Thunderbird mail client versions earlier than 152 (including ESR 140.12) are impacted. All standard releases of these products that have not applied the fix remain vulnerable.
Risk and Exploitability
The CVSS score of 4.7 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of attack at present. The vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker would need to execute malicious code within the sandbox—either locally or via compromised content—to exploit the escape; remote exploitation through external input is not explicitly documented.
OpenCVE Enrichment
Debian DLA
Debian DSA