OAuth 2.0 public clients (ie browser) utilizing the Authorization Code Grant are susceptible to the authorization code interception attack.
Proof Key for Code Exchange by OAuth Public Clients (PKCE) 1) helps mitigate this attack.
It ensures that only the client which requested the token can redeem it
PKCE is pronounced “pixy”.