Mozilla released Firefox for iOS 152 on June 16, 2026, addressing two high-severity cookie security vulnerabilities (CVE-2026-53899 and CVE-2026-53900) that could allow attackers to leak or inject cookies across unrelated domains via maliciously crafted PDF links.
Both flaws were discovered by security researcher Muneaki Nishimura and are documented in Mozilla Foundation Security Advisory MFSA2026-56.
Mozilla Foundation Security Advisory 2026-56 (MFSA2026-56) was officially announced on June 16, 2026, and carries a high-impact severity rating across both reported vulnerabilities.
The advisory affects only Firefox for iOS, Mozilla’s mobile browser that runs atop Apple’s WebKit rendering engine. Both vulnerabilities stem from flawed cookie-handling logic that is triggered specifically when Firefox for iOS opens PDF files via hyperlinks, making the attack surface uniquely tied to the browser’s PDF rendering workflow.
CVE-2026-53899 is a high-severity cross-origin cookie leakage vulnerability affecting Firefox for iOS versions prior to 152. The flaw stems from Firefox for iOS using partial-domain matching when attaching cookies to PDF requests.
Under this flawed logic, a malicious website hosted on a suffix domain for example, evil.targetsite.com could receive session cookies that legitimately belong to targetsite.com. This is a classic domain validation bypass that effectively breaks the browser’s same-origin cookie isolation boundary.
Technical Impact: An attacker controlling a suffix domain of the victim’s target site could silently harvest authentication tokens, session identifiers, or other sensitive cookies transmitted during a PDF fetch without any additional user interaction beyond clicking a link.
This type of cookie leakage can directly enable session hijacking, credential theft, and unauthorized access to accounts on the targeted domain.
CVE-2026-53900 is a high-severity cookie injection vulnerability, also discovered by Muneaki Nishimura, and patched in Firefox for iOS 152.
This flaw is rooted in how Firefox for iOS handled cookies inside the TemporaryDocument component a temporary storage object used for rendering inline PDF content.
The browser incorrectly preserved cookies set during the initial PDF request and carried them forward across cross-origin HTTP redirects, allowing a malicious site to inject arbitrary cookies into a request directed at a completely unrelated target domain.
Technical Impact: Cookie injection attacks of this nature can be leveraged for Cross-Site Request Forgery (CSRF), session fixation, or poisoning authentication flows.
By weaponizing the PDF redirect chain, a threat actor could silently set forged cookies in the victim’s browser targeting a third-party web application without the victim’s knowledge.
The TemporaryDocument mechanism, intended for PDF handling, became an unintended persistence channel for attacker-supplied cookie values.
| Property | CVE-2026-53899 | CVE-2026-53900 |
|---|---|---|
| Type | Cookie Leakage | Cookie Injection |
| Root Cause | Partial domain matching in PDF cookie attachment | Cookie persistence across cross-origin HTTP redirects |
| Attack Mechanism | Suffix domain receives victim’s cookies | Malicious site injects cookies into unrelated domain |
| Exploit Component | PDF request cookie handler | TemporaryDocument in PDF redirect chain |
| Severity | High | High |
| Reporter | Muneaki Nishimura | Muneaki Nishimura |
| Bug ID | 2042909 | 2043204 |
| Fixed In | Firefox for iOS 152 | Firefox for iOS 152 |
Firefox for iOS operates within Apple’s WebKit sandbox, which already imposes cross-site cookie restrictions. However, the PDF-handling layer in Firefox for iOS introduced a separate application-level cookie-management path that bypassed these WebKit-enforced protections.
Mozilla has historically invested heavily in cookie isolation technologies, including Total Cookie Protection, which confines cookies to per-site “cookie jars,” but these two CVEs demonstrate that supplementary browser code paths, such as PDF rendering workflows, can harbor independent vulnerabilities that undermine those broader protections.
Mobile browsers are especially high-value targets because iOS users frequently interact with PDFs via browser links in email or messaging apps.
Affected Versions and Patch Details
| Detail | Information |
|---|---|
| Advisory ID | MFSA2026-56 |
| Announcement Date | June 16, 2026 |
| Affected Product | Firefox for iOS |
| Vulnerable Versions | All Firefox for iOS versions prior to 152 |
| Patched Version | Firefox for iOS 152.0 |
| Impact Rating | High |
| Patch Source | Apple App Store |
Mitigation
All Firefox for iOS users should immediately update to Firefox for iOS 152 via the Apple App Store. Mozilla advises the following:
- Update immediately: Navigate to the App Store, search for Firefox, and apply the latest update if automatic updates are not enabled.
- Avoid untrusted PDF links: Until the update is confirmed applied, exercise caution when opening PDF links from unknown or untrusted websites in Firefox on iOS.
- Enterprise MDM users: IT administrators should enforce Firefox for iOS 152 or later as the minimum required version through Mobile Device Management (MDM) policies.
- Monitor for session anomalies: Users who may have previously opened suspicious PDF links should monitor active sessions for unauthorized logins across accounts accessed via Firefox on iOS.
- Review cookie audit logs: Web application owners should review server-side logs for unexpected cookie values or session identifiers that may indicate prior exploitation activity.
Both vulnerabilities were responsibly disclosed and reported by Muneaki Nishimura, who identified two distinct but related flaws within the same Firefox for iOS PDF-handling subsystem.
The coordinated discovery suggests a targeted audit of the PDF rendering pipeline, which has historically been a rich source of browser vulnerabilities across multiple platforms. Mozilla has credited Nishimura in MFSA2026-56 for both bug reports (Bug 2042909 and Bug 2043204).
FAQ
Q1: What is CVE-2026-53899 in Firefox for iOS?
CVE-2026-53899 is a high-severity flaw in which Firefox for iOS used partial domain matching for PDF cookie requests, allowing a suffix-domain attacker to steal cookies belonging to a target site.
Q2: What does CVE-2026-53900 allow an attacker to do?
CVE-2026-53900 allows a malicious site to inject arbitrary cookies into requests for an unrelated domain by exploiting how Firefox for iOS preserves cookies across cross-origin HTTP redirects during PDF loading.
Q3: Which versions of Firefox for iOS are affected by MFSA2026-56?
All versions of Firefox for iOS prior to version 152 are vulnerable to both CVE-2026-53899 and CVE-2026-53900, as documented in Mozilla Security Advisory MFSA2026-56.
Q4: How can users protect themselves from these Firefox iOS cookie vulnerabilities?
Users should immediately update to Firefox for iOS 152 via the Apple App Store, which includes complete patches for both high-severity cookie-leakage and injection vulnerabilities.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
