Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53899

CVE-2026-53899: Firefox Mobile Information Disclosure Flaw

CVE-2026-53899 is an information disclosure vulnerability in Firefox for iOS that allows malicious sites to steal cookies through improper domain matching. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-53899 Overview

CVE-2026-53899 is a cookie scoping vulnerability in Mozilla Firefox for iOS. The browser used partial domain matching when attaching cookies to PDF requests. A malicious site hosted on a suffix domain could receive cookies belonging to the legitimate target site. The flaw maps to CWE-345: Insufficient Verification of Data Authenticity and affects the same-origin guarantees that browsers enforce around cookie transmission. Mozilla addressed the issue in Firefox for iOS 152.0 via security advisory MFSA-2026-56.

Critical Impact

A network-positioned attacker controlling a suffix-matching domain can capture session cookies from a victim site when the browser issues a PDF request, exposing authentication state and session data.

Affected Products

  • Mozilla Firefox for iOS versions prior to 152.0
  • iOS builds of mozilla:firefox_mobile distributed through the App Store
  • Any deployment relying on Firefox for iOS to access authenticated sites that serve PDF content

Discovery Timeline

  • 2026-06-16 - CVE-2026-53899 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database
  • Mozilla released Firefox for iOS 152.0 containing the fix, documented in MFSA-2026-56

Technical Details for CVE-2026-53899

Vulnerability Analysis

The vulnerability resides in how Firefox for iOS scoped cookies when issuing requests for PDF resources. Instead of performing strict origin or registered-domain matching, the browser used partial domain matching. This logic treated any domain ending in a matching suffix as eligible to receive the cookies of the target site. An attacker registering a domain that shares a trailing string with a victim domain could induce the browser to attach the victim's cookies to outbound PDF requests directed at the attacker. The Mozilla bug tracker entry #2042909 records the underlying defect.

Root Cause

The root cause is improper validation of the request host against the cookie's domain attribute. PDF request handling in the iOS build skipped the strict equality and public-suffix checks that the cookie specification requires. As a result, suffix similarity between an attacker domain and a victim domain was sufficient to bind cookies to the wrong request.

Attack Vector

Exploitation requires the victim to load attacker-controlled content in Firefox for iOS that triggers a PDF request to the attacker's suffix-matching domain. No user interaction beyond visiting the page is required. The attacker observes the request server-side and harvests the leaked cookies, including session identifiers. The captured cookies can then be replayed to impersonate the victim against the legitimate site.

No public proof-of-concept code has been published. Technical details are described in the Mozilla advisory and bug report rather than in released exploit code.

Detection Methods for CVE-2026-53899

Indicators of Compromise

  • Outbound HTTPS requests from iOS devices to unexpected domains containing Cookie headers that belong to unrelated first-party sites
  • PDF resource fetches to domains that share only a suffix with sensitive internal applications
  • Session reuse from IP addresses or user agents that do not match the original authenticating client

Detection Strategies

  • Inspect TLS-decrypted egress traffic from managed mobile fleets for cross-domain cookie leakage on .pdf requests
  • Correlate authentication session usage across distinct source addresses within short time windows to surface replayed sessions
  • Audit web server access logs for PDF requests originating from Firefox for iOS user agents prior to version 152.0

Monitoring Recommendations

  • Track Firefox for iOS version distribution through MDM inventory and flag devices below 152.0
  • Alert on authentication events where the session cookie was issued to one client fingerprint and replayed from another
  • Monitor newly registered domains that share suffixes with corporate-owned domains and feed them to web filtering controls

How to Mitigate CVE-2026-53899

Immediate Actions Required

  • Update Firefox for iOS to version 152.0 or later across all managed devices through MDM-enforced app updates
  • Invalidate active sessions for users known to have browsed untrusted content on vulnerable Firefox for iOS builds
  • Notify users who rely on Firefox for iOS to authenticate to sensitive web applications and require reauthentication

Patch Information

Mozilla fixed the vulnerability in Firefox for iOS 152.0. Refer to Mozilla Security Advisory MFSA-2026-56 and Bugzilla #2042909 for vendor details. Distribute the updated build through the Apple App Store and enforce minimum version policies via mobile device management.

Workarounds

  • Restrict use of Firefox for iOS for authenticated browsing until version 152.0 is deployed
  • Set the Host- cookie prefix and SameSite=Strict attribute on session cookies to reduce cross-context attachment risk
  • Shorten session lifetimes and bind cookies to client characteristics on the server side to limit replay value
bash
# Example MDM compliance rule pinning a minimum Firefox for iOS version
minimum_app_version:
  bundle_id: org.mozilla.ios.Firefox
  version: "152.0"
  action: block_or_update

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne