The vulnerability exists in the Settings user interface component and permits an attacker to read data that should remain confidential, effectively bypassing built‑in mitigation controls. This results in exposure of sensitive information that the application or the user would expect to be protected. The weakness is formally categorized as an information disclosure (CWE‑200) and a violation of confidentiality preservation mechanisms (CWE‑693).

Mozilla Firefox or Thunderbird versions older than 148 contain the vulnerable Settings UI component and are therefore susceptible. All editions of these products running a pre‑148 release are considered at risk. No specific feature or sub‑edition is singled out by the CNA, so the entire set of pre‑148 builds is treated as vulnerable.

The CVSS base score of 7.5 indicates high severity, yet the EPSS score of less than 1% suggests that exploitation attempts are unlikely to be observed in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector would require local user interaction with the Settings UI component; remote exploitation is not indicated by the available information. Consequently, while the potential impact on confidentiality is significant, the practical likelihood of exploitation remains low.