CVE-2026-9309 Overview
CVE-2026-9309 is a cross-site scripting (XSS) vulnerability in Firefox for iOS Reader View. The Reader View feature failed to properly escape HTML tags embedded in JSON-LD metadata. A malicious web page could inject markup that altered Reader View behavior and leaked sensitive URL parameters. Attackers could then use those parameters to access internal pages, potentially leading to arbitrary JavaScript execution within an internal origin. Mozilla addressed the issue in Firefox for iOS 151.2. The flaw is tracked under [CWE-79] and affects only the iOS build of Firefox.
Critical Impact
A crafted page can manipulate Reader View output, exfiltrate URL parameters, and reach internal origins where arbitrary JavaScript may execute.
Affected Products
- Mozilla Firefox for iOS (versions prior to 151.2)
- iOS platform builds matching CPE cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*
- Component: mozilla:firefox
Discovery Timeline
- 2026-06-01 - CVE-2026-9309 published to NVD
- 2026-06-03 - Last updated in NVD database
- Mozilla Advisory - Documented in Mozilla Security Advisory MFSA-2026-53
Technical Details for CVE-2026-9309
Vulnerability Analysis
Reader View parses page metadata, including JSON-LD blocks, to render a simplified article view. Firefox for iOS did not strip or escape HTML tags contained inside JSON-LD strings before incorporating that metadata into the rendered Reader View document. An attacker-controlled page can embed HTML or script-bearing markup inside JSON-LD fields. When a user activates Reader View, the injected markup executes in the Reader View context. The injected content can read URL parameters that Reader View processes internally. Those parameters reference internal origins used by Firefox for iOS, and attackers can replay them to reach privileged pages. Once an internal origin is reached, arbitrary JavaScript can run with the elevated trust of that origin.
Root Cause
The root cause is missing output encoding of JSON-LD string values before they are inserted into the Reader View DOM. Firefox for iOS treated JSON-LD metadata as trusted structured data rather than untrusted page-controlled input. HTML special characters in metadata fields were inserted verbatim, allowing tag injection in the Reader View output.
Attack Vector
Exploitation requires user interaction: the victim must visit an attacker-controlled page and switch to Reader View. The page advertises crafted JSON-LD metadata containing injected HTML tags. When Reader View renders, the markup is parsed and executed, and a script can read sensitive parameters from the Reader View URL. Those parameters are then forwarded to an internal origin to trigger JavaScript execution. No authentication or special privileges are required on the targeted device.
No verified proof-of-concept code is publicly available. See the Mozilla Bug Report #2036573 for technical details once made public.
Detection Methods for CVE-2026-9309
Indicators of Compromise
- Firefox for iOS clients running versions earlier than 151.2 in mobile device inventories.
- HTTP responses containing <script type="application/ld+json"> payloads with embedded HTML tags such as <script>, <img>, or <iframe> inside JSON string values.
- Unexpected navigations from Reader View sessions to internal Firefox origins (custom schemes used by Firefox for iOS).
Detection Strategies
- Inspect mobile web traffic for JSON-LD blocks that contain unescaped HTML markup inside string fields, which is non-conformant with schema.org usage.
- Correlate mobile browser version telemetry with Mobile Device Management (MDM) inventories to flag devices on Firefox for iOS below 151.2.
- Hunt for outbound requests from mobile browsers containing leaked Reader View URL parameters or unusual internal-origin references in Referer headers.
Monitoring Recommendations
- Monitor application version data reported by MDM platforms and alert on Firefox for iOS installations below 151.2.
- Enable network-level inspection of mobile browser traffic where corporate policy allows, focusing on suspicious JSON-LD payloads.
- Track user reports of Reader View rendering anomalies, which may indicate active exploitation attempts.
How to Mitigate CVE-2026-9309
Immediate Actions Required
- Update Firefox for iOS to version 151.2 or later through the Apple App Store on all managed and personal devices.
- Push the update via MDM where supervised devices and managed app distribution are configured.
- Advise users to avoid using Reader View on untrusted sites until the update is applied.
Patch Information
Mozilla fixed the vulnerability in Firefox for iOS 151.2. Full remediation details are published in Mozilla Security Advisory MFSA-2026-53. The underlying issue is tracked in Mozilla Bug Report #2036573.
Workarounds
- Disable use of Reader View on Firefox for iOS until devices are updated to 151.2 or later.
- Use an alternative browser on iOS for content where Reader View is required and the Firefox update has not yet been applied.
- Restrict mobile browsing to known-trusted domains via web filtering on corporate networks until patching is complete.
# Configuration example: query MDM inventory for vulnerable Firefox for iOS versions
# (Pseudocode - adapt to your MDM API)
mdm-cli query devices \
--app-bundle-id org.mozilla.ios.Firefox \
--app-version-less-than 151.2 \
--output csv > firefox_ios_vulnerable.csv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
