Mozilla Foundation Security Advisory 2026-56

Security Vulnerabilities fixed in Firefox for iOS 152.0

Announced

June 16, 2026

Impact

high

Products

Firefox for iOS

Fixed in

Firefox for iOS 152

#CVE-2026-53899: Cross-origin cookies could be leaked when opening a PDF link

Reporter: Muneaki Nishimura
Impact: high

Description

Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site.

References

Bug 2042909

#CVE-2026-53900: Cookie injection was possible when opening a PDF link

Reporter: Muneaki Nishimura
Impact: high

Description

Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain.

References

Bug 2043204

Firefox browsers

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

Solo

0DIN

Tabstack

About Mozilla

The Mozilla Manifesto

Get Involved

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising

Mozilla Builders

Mozilla New Products

Mozilla Foundation Security Advisory 2026-56

Security Vulnerabilities fixed in Firefox for iOS 152.0

#CVE-2026-53899: Cross-origin cookies could be leaked when opening a PDF link

Description

References

#CVE-2026-53900: Cookie injection was possible when opening a PDF link

Description

References