Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Integrity raised to L because injecting arbitrary cookies modifies request state on unrelated target domains, a concrete integrity impact omitted from the official vector.
Primary rating from Vendor (mozilla).
CVSS VectorVendor: mozilla
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.
AnalysisAI
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handling mechanism incorrectly preserving cookies from an initial PDF request across cross-origin HTTP redirects. This violates same-origin cookie isolation, enabling a malicious site to inject arbitrary cookies into requests directed at an unrelated target domain and potentially manipulate session or authentication state on that domain. No public exploit code has been identified and no CISA KEV listing exists; the CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates low-complexity remote exploitability contingent on user interaction, and Mozilla has shipped a vendor-released patch in Firefox for iOS 152.0.
Technical ContextAI
The vulnerability is rooted in Firefox for iOS's TemporaryDocument subsystem, which handles inline PDF rendering within the browser. When the browser fetches a PDF resource and the server responds with an HTTP redirect to a cross-origin destination, the implementation erroneously carries forward cookies that were set during the original request rather than scoping them to the origin that set them. This breaches the fundamental browser security invariant that cookies must not traverse origin boundaries without explicit cross-origin policy grants (e.g., SameSite=None with Secure, or CORS). The root cause maps to CWE-345 (Insufficient Verification of Data Authenticity): the browser fails to re-validate cookie authorization at the point of the cross-origin redirect, allowing attacker-influenced cookie state to propagate. Affected product per CPE is cpe:2.3:a:mozilla:firefox_for_ios:*:*:*:*:*:*:*:* - all versions with no lower version bound specified by Mozilla.
RemediationAI
Vendor-released patch: Firefox for iOS 152.0. Users should update to Firefox for iOS 152.0 or later via the Apple App Store, which resolves the cookie isolation failure in the TemporaryDocument PDF path. No official workarounds are documented in the Mozilla advisory at https://www.mozilla.org/security/advisories/mfsa2026-56/. As a compensating control prior to patching, users can avoid opening PDFs directly within Firefox for iOS from untrusted or unfamiliar sites, instead downloading the PDF and opening it in a dedicated viewer such as Apple Books or Adobe Acrobat for iOS, which do not share Firefox's cookie jar. This eliminates the TemporaryDocument code path entirely and removes the exploitation vector without requiring a browser update.
More in Firefox For Ios
View allCookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intend
Firefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, ena
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37078
GHSA-6xv8-mg86-mq56