Starting with Firefox 117 and Thunderbird 115.2, Mozilla has switched off push notifications inside private browsing windows. The change puts a hard stop on a privacy bug that let websites quietly store unencrypted notification data on your hard drive—data that stuck around even after the private session ended.
It’s a rare case where turning off a feature makes your browser more private. For anyone who switches to private mode expecting nothing to be saved to disk, the fix closes a gap that undermined that promise.
What actually changed
The vulnerability, assigned CVE-2023-4580, affected all versions of Firefox before 117, Firefox ESR before 115.2, and Thunderbird before 115.2. When you browsed in a private window and allowed a site to send push notifications, the browser saved the notification payload and related metadata directly to disk—without encryption. Under normal browsing, that’s expected; the push API needs to store subscription info and message data so it can display alerts even if Firefox isn't open. But private mode is supposed to keep things ephemeral.
Here’s where the problem lay: the notification store wasn’t being handled differently for private sessions. So if you logged into your bank in a private window and it sent a push alert with a one-time code, that code could remain on your drive in plain text. Close the window, delete history, run CCleaner—it might not matter. The file could still be recoverable.
Mozilla’s immediate response was blunt: disable push notifications in private windows entirely. The fix rolled out in the following releases:
- Firefox 117 (mainline)
- Firefox ESR 115.2
- Thunderbird 115.2
No configuration flags, no about:config tweaks—if you’re in a private window, the browser simply won’t accept push subscriptions or show push notifications from that session.
What it means for you
For everyday users
If you use private mode to research medical conditions, shop for gifts, or log into sensitive accounts, this fix strengthens the “no trace” guarantee. The trade-off: you’ll stop receiving push notifications from web apps while in a private window. So if you rely on real-time alerts from email, messaging apps, or news sites, they won’t pop up until you close the private window and return to a normal tab—or open the app elsewhere.
For power users and IT admins
In managed environments, this change could affect workflows that depend on push notifications during privacy-sensitive tasks. Administrators should:
- Verify that enterprise Firefox installations are at version 117 or later.
- Update deployment pipelines to push the fixed ESR (115.2+) or Rapid Release builds.
- If any internal web apps use push notifications in a private context, test for broken notification flows.
A quick reassurance: this bug required local access to your disk to be exploited. So the risk was highest for devices that might be stolen, seized, or shared. If you already use full-disk encryption and keep your device physically secure, the exposure was limited—but still worth patching.
For web developers
If your site relies on push notifications, you’ll see a behavior change: Firefox now silently refuses to register push subscriptions in private mode. The Push API subscribe() call will reject, or the subscription attempt will simply not succeed. You should:
- Detect private mode using feature detection or indexedDB quirks, and gracefully degrade the experience.
- Never put secrets in push payloads. Treat notification data as public—it may be stored, logged, or intercepted. Use opaque tokens that require a server-side lookup.
- Prepare fallback UX for users who depend on alerts but choose private browsing.
How we got here
The web Push API was designed for persistent, out-of-band communication. Once a user grants permission, the browser keeps a subscription object and wakes a background service worker to show notifications—even when the page isn’t open. Persistence is the whole point. That persistence, however, directly conflicts with the core promise of private browsing: nothing is written to disk that survives the session.
Browsers have long struggled with this tension. Chrome and Safari have their own approaches (Chrome limits cookies and storage, Safari uses separate ephemeral stores), but the push notification implementation in Firefox inherited the same code path used for regular windows. According to Mozilla’s advisory, the notification store—the on-disk database holding incoming messages—wasn’t encrypted when it came from a private session. The bug was reported internally and tracked in Mozilla’s issue tracker in late 2023, leading to the mitigation.
Mozilla assigned a CVSS v3.1 score of 6.5 (medium severity), reflecting that exploitation requires local file access—there’s no remote code execution or network-based attack vector. Still, the confidentiality impact was meaningful: forensics, malware, or device theft could all turn up private notification data.
Rather than rush an encryption scheme, Mozilla took the conservative route: cut the feature off in private mode until a proper implementation exists. That’s the same logic that previously led them to disable extensions in private windows by default, and it’s a pragmatic “first, do no harm” play.
What to do now
1. Update immediately
- Open Firefox, click the menu (☰), go to Help > About Firefox. If you’re below version 117, the browser will download the update automatically.
- For Thunderbird: Help > About Thunderbird.
- Enterprise admins: force an update via group policy or management tool to Firefox 117+ or ESR 115.2+.
2. Check your version
You can verify your current version in about:support or the About dialog. The vulnerable builds are:
- Firefox < 117
- Firefox ESR < 115.2.0
- Thunderbird < 115.2.0
If you’re on any of those, you’re at risk.
3. Clear old private notification data (optional but recommended for high-risk users)
If you used private mode extensively on an affected version and your device may have been accessed by someone else, consider:
- Deleting the Firefox profile folder for that device (this also removes bookmarks and passwords, so back up what you need first).
- Rotating secrets that might have appeared in notifications. While rare, some apps mistakenly send one-time passcodes or session tokens via push. If you’re unsure, change passwords and log out other sessions.
- Using a disk cleaning tool like BleachBit (or Windows’ built-in drive cleanup) to overwrite free space, making file recovery harder.
The notification data is stored within the profile’s storage.sqlite or a dedicated notifications database. Without the update, manually deleting these files doesn’t prevent future leaks; the update is the only complete fix.
4. Harden your device
Since this bug required local access, basic security hygiene lowers the effective risk:
- Enable full-disk encryption: BitLocker on Windows, FileVault on macOS, LUKS on Linux.
- Use a strong login password and lock your screen when away.
- Run up-to-date anti-malware and endpoint protection.
- Restrict physical access to your device.
5. Consider disabling web notifications entirely
For users with higher privacy needs (journalists, activists, executives), you might temporarily disable push notifications altogether until Mozilla re-enables the feature with proper encryption. In Firefox:
- Go to about:preferences#privacy
- Scroll to the Permissions section
- Click Settings… next to Notifications
- Check Block new requests asking to allow notifications
Or use dom.webnotifications.enabled in about:config to switch them off globally.
Outlook
Mozilla’s fix is explicitly temporary. The bug tracker indicates that the long-term plan is to build an encrypted, session-scoped notification store that can safely support push in private windows without sacrificing privacy. That’s a non-trivial engineering task—properly managing encryption keys that live only in memory and are destroyed at session end requires careful cross-platform work.
In the meantime, private windows will remain notification-free. For most users, that’s a net privacy win, even if it means missing an occasional alert. The incident also serves as a broader reminder: private browsing isn’t a silver bullet. Background services, extensions, and even settings sync can leave traces. When you need true ephemerality, consider combining private windows with a dedicated browser profile or tools like Tails.
What to watch for: future Firefox release notes may announce when encrypted push storage lands, restoring notifications in private mode under a stronger privacy model. Developers should keep an eye on the Mozilla security advisories and the Browser Compatibility Data around the Push API for changes.