Skip to main content

Firefox for iOS EUVDEUVD-2026-37077

| CVE-2026-53899 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-16 mozilla GHSA-848m-8qg2-wmrv
6.5
CVSS 3.1 · Vendor: mozilla
Share

Severity by source

Vendor (mozilla) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

UI:R assigned because the victim must navigate to or load content from the attacker-controlled suffix domain to trigger the PDF cookie-leak path.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mozilla).

CVSS VectorVendor: mozilla

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 16, 2026 - 17:26 vuln.today
CVSS changed
Jun 16, 2026 - 17:22 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
Jun 16, 2026 - 11:53 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 16, 2026 - 11:53 cve.org
MEDIUM 6.5

DescriptionCVE.org

Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.

AnalysisAI

Cookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intended for a target site during PDF request handling. The browser's PDF loading code path applied partial rather than exact-origin domain matching when deciding which cookies to attach, meaning a domain such as 'evilbank.com' could satisfy a suffix match against 'bank.com' and receive that site's cookies. No active exploitation is confirmed, but the SSVC framework rates this as automatable with partial technical impact, making it a credible session-hijacking vector for users on unpatched versions.

Technical ContextAI

The flaw resides in Mozilla's Firefox for iOS application (CPE: cpe:2.3:a:mozilla:firefox_for_ios:*:*:*:*:*:*:*:*), which runs on Apple's iOS platform. The affected code path handles cookie attachment for PDF resource requests - a distinct fetch pipeline from standard HTTP navigation. CWE-345 (Insufficient Verification of Data Authenticity) identifies the root cause: the browser failed to verify that the requesting domain authentically matches the cookie's domain attribute via proper exact-prefix comparison, instead accepting a simple string-suffix relationship. This is the classic 'suffix confusion' class of cookie scope errors, where 'evil.com' can satisfy a suffix match for a cookie scoped to '.il.com' or where 'attacker-example.com' could incorrectly satisfy a match against 'example.com' if the implementation checks only whether the cookie domain appears at the end of the request host string without enforcing a dot-boundary delimiter.

RemediationAI

The primary remediation is to update Firefox for iOS to version 152.0 or later, available through the Apple App Store. This is a vendor-released patch confirmed by Mozilla advisory MFSA2026-56 (https://www.mozilla.org/security/advisories/mfsa2026-56/). Organizations managing iOS devices through MDM solutions should enforce the minimum app version policy. As a compensating control where immediate update is not possible, users can avoid loading PDF content directly in Firefox for iOS and instead use a dedicated PDF viewer application, which removes the vulnerable code path entirely. Restricting cookies for sensitive domains to the Secure and SameSite=Strict attributes provides partial mitigation by limiting cookie transmission contexts, though SameSite controls are not a complete fix since the flaw is in domain-matching logic rather than cross-site request handling. No side effects are expected from updating to 152.0.

Share

EUVD-2026-37077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy