Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
UI:R assigned because the victim must navigate to or load content from the attacker-controlled suffix domain to trigger the PDF cookie-leak path.
Primary rating from Vendor (mozilla).
CVSS VectorVendor: mozilla
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.
AnalysisAI
Cookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intended for a target site during PDF request handling. The browser's PDF loading code path applied partial rather than exact-origin domain matching when deciding which cookies to attach, meaning a domain such as 'evilbank.com' could satisfy a suffix match against 'bank.com' and receive that site's cookies. No active exploitation is confirmed, but the SSVC framework rates this as automatable with partial technical impact, making it a credible session-hijacking vector for users on unpatched versions.
Technical ContextAI
The flaw resides in Mozilla's Firefox for iOS application (CPE: cpe:2.3:a:mozilla:firefox_for_ios:*:*:*:*:*:*:*:*), which runs on Apple's iOS platform. The affected code path handles cookie attachment for PDF resource requests - a distinct fetch pipeline from standard HTTP navigation. CWE-345 (Insufficient Verification of Data Authenticity) identifies the root cause: the browser failed to verify that the requesting domain authentically matches the cookie's domain attribute via proper exact-prefix comparison, instead accepting a simple string-suffix relationship. This is the classic 'suffix confusion' class of cookie scope errors, where 'evil.com' can satisfy a suffix match for a cookie scoped to '.il.com' or where 'attacker-example.com' could incorrectly satisfy a match against 'example.com' if the implementation checks only whether the cookie domain appears at the end of the request host string without enforcing a dot-boundary delimiter.
RemediationAI
The primary remediation is to update Firefox for iOS to version 152.0 or later, available through the Apple App Store. This is a vendor-released patch confirmed by Mozilla advisory MFSA2026-56 (https://www.mozilla.org/security/advisories/mfsa2026-56/). Organizations managing iOS devices through MDM solutions should enforce the minimum app version policy. As a compensating control where immediate update is not possible, users can avoid loading PDF content directly in Firefox for iOS and instead use a dedicated PDF viewer application, which removes the vulnerable code path entirely. Restricting cookies for sensitive domains to the Secure and SameSite=Strict attributes provides partial mitigation by limiting cookie transmission contexts, though SameSite controls are not a complete fix since the flaw is in domain-matching logic rather than cross-site request handling. No side effects are expected from updating to 152.0.
More in Firefox For Ios
View allFirefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, ena
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handli
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37077
GHSA-848m-8qg2-wmrv