Skip to main content

Firefox for iOS CVE-2026-53900

| EUVDEUVD-2026-37078 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-16 mozilla GHSA-6xv8-mg86-mq56
4.3
CVSS 3.1 · Vendor: mozilla
Share

Severity by source

Vendor (mozilla) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
5.4 MEDIUM

Integrity raised to L because injecting arbitrary cookies modifies request state on unrelated target domains, a concrete integrity impact omitted from the official vector.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mozilla).

CVSS VectorVendor: mozilla

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 16, 2026 - 15:50 vuln.today
CVSS changed
Jun 16, 2026 - 15:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 16, 2026 - 11:53 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 16, 2026 - 11:53 cve.org
MEDIUM 4.3

DescriptionCVE.org

Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.

AnalysisAI

Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handling mechanism incorrectly preserving cookies from an initial PDF request across cross-origin HTTP redirects. This violates same-origin cookie isolation, enabling a malicious site to inject arbitrary cookies into requests directed at an unrelated target domain and potentially manipulate session or authentication state on that domain. No public exploit code has been identified and no CISA KEV listing exists; the CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates low-complexity remote exploitability contingent on user interaction, and Mozilla has shipped a vendor-released patch in Firefox for iOS 152.0.

Technical ContextAI

The vulnerability is rooted in Firefox for iOS's TemporaryDocument subsystem, which handles inline PDF rendering within the browser. When the browser fetches a PDF resource and the server responds with an HTTP redirect to a cross-origin destination, the implementation erroneously carries forward cookies that were set during the original request rather than scoping them to the origin that set them. This breaches the fundamental browser security invariant that cookies must not traverse origin boundaries without explicit cross-origin policy grants (e.g., SameSite=None with Secure, or CORS). The root cause maps to CWE-345 (Insufficient Verification of Data Authenticity): the browser fails to re-validate cookie authorization at the point of the cross-origin redirect, allowing attacker-influenced cookie state to propagate. Affected product per CPE is cpe:2.3:a:mozilla:firefox_for_ios:*:*:*:*:*:*:*:* - all versions with no lower version bound specified by Mozilla.

RemediationAI

Vendor-released patch: Firefox for iOS 152.0. Users should update to Firefox for iOS 152.0 or later via the Apple App Store, which resolves the cookie isolation failure in the TemporaryDocument PDF path. No official workarounds are documented in the Mozilla advisory at https://www.mozilla.org/security/advisories/mfsa2026-56/. As a compensating control prior to patching, users can avoid opening PDFs directly within Firefox for iOS from untrusted or unfamiliar sites, instead downloading the PDF and opening it in a dedicated viewer such as Apple Books or Adobe Acrobat for iOS, which do not share Firefox's cookie jar. This eliminates the TemporaryDocument code path entirely and removes the exploitation vector without requiring a browser update.

Share

CVE-2026-53900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy