Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
UI:R assigned because the victim must navigate to or load content from the attacker-controlled suffix domain to trigger the PDF cookie-leak path.
Primary rating from Vendor (mozilla).
CVSS VectorVendor: mozilla
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.
AnalysisAI
Cookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intended for a target site during PDF request handling. The browser's PDF loading code path applied partial rather than exact-origin domain matching when deciding which cookies to attach, meaning a domain such as 'evilbank.com' could satisfy a suffix match against 'bank.com' and receive that site's cookies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the victim must be using Firefox for iOS at a version prior to 152.0; (2) the victim's browser session must contain cookies for the target domain at the time the PDF request is triggered; and (3) the attacker must control a domain that satisfies a suffix string match against the target domain and must be able to cause the victim's browser to initiate a PDF resource request - most plausibly via an embedded PDF object or iframe on a page the victim visits. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) characterizes this as a medium-severity, remotely exploitable, low-complexity flaw with no privilege or user-interaction requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a domain that is a string suffix of the target site's domain (e.g., targeting users of 'payments.example.com' by registering 'ments.example.com' or a lookalike). The attacker hosts a page containing an auto-loading PDF iframe or redirect that causes the victim's Firefox for iOS browser - in a session where the victim holds valid cookies for the target domain - to make a PDF fetch request. … |
| Remediation | The primary remediation is to update Firefox for iOS to version 152.0 or later, available through the Apple App Store. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Firefox For Ios
View allFirefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, ena
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handli
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37077
GHSA-848m-8qg2-wmrv