MEDIUM 5.4

CVE-2026-9308: Firefox for iOS Reader View Template Injection (XSS)

Firefox for iOS Reader View had a template injection vulnerability where malicious web pages could exploit the order of placeholder substitution to inject JavaScript. When the app converted page content into Reader View, it processed user-controlled content before handling internal JSON-LD data placeholders. An attacker could craft a webpage with a specially-formatted string that, after substitution, becomes executable JavaScript code. This requires user interaction—the victim must open the malicious page and enable Reader View.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was fixed in Firefox for iOS 151.2.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9308 is a cross-site scripting (CWE-79) vulnerability in Firefox for iOS Reader View stemming from unsafe template processing. The vulnerability arises because HTML content from the web page is inserted into the Reader View template before internal placeholders (specifically those intended for JSON-LD structured data) are replaced. By injecting a string that mimics or completes a placeholder pattern, an attacker can poison the final HTML output so that JSON-LD substitution results in arbitrary JavaScript within the document context. The CVSS 3.1 score of 5.4 (MEDIUM) reflects network accessibility, low attack complexity, no special privileges required, but mandatory user interaction and limited impact scope (same-origin).

Business impact

Reader View is a commonly-used accessibility feature in Firefox for iOS that allows users to focus on article content without ads and formatting distractions. Exploitation of this vulnerability could enable credential theft, session hijacking, or malware distribution through booby-trapped articles or news sites. The attack surface includes any malicious or compromised website. However, the requirement for explicit user action to enable Reader View on a specific page limits mass exploitation. Organizations that allow iOS devices to access internal or partner content should consider the risk if those sites could be compromised or if users may visit untrusted sites.

Affected systems

This vulnerability affects Mozilla Firefox for iOS versions prior to 151.2. Firefox for iOS is available on Apple's App Store and is the primary Firefox offering for iPad and iPhone users. Desktop Firefox (Windows, macOS, Linux) and other Mozilla products are not affected. The vulnerability is specific to the iOS platform's implementation of Reader View.

Exploitability

Exploitation requires a user to visit a malicious or compromised webpage using Firefox for iOS and then manually activate Reader View on that page. No authentication, special network position, or browser configuration is needed from the attacker's perspective, but user action is mandatory. The vulnerability does not appear to be in active exploitation (it is not listed on the CISA Known Exploited Vulnerabilities catalog), and no public exploit code is known. The attack is reliable if a user can be socially engineered to open a suspicious link and enable Reader View.

Remediation

Update Firefox for iOS to version 151.2 or later. Users should enable automatic app updates through the App Store to receive patches promptly. There is no known workaround for users unable to update immediately, though disabling or avoiding Reader View on untrusted websites reduces exposure. Organizations managing iOS devices should push this update through their mobile device management (MDM) solution if deployed.

Patch guidance

Firefox for iOS 151.2 is the fixed version addressing this vulnerability. Users can verify their current version in Settings > Firefox > About Firefox within the app. The patch is available through the Apple App Store; users should check for updates or enable automatic updates. No manual configuration changes are required post-patch. Verify that all deployed instances have been updated to 151.2 or later by checking device inventory and app version reporting through MDM consoles if applicable.

Detection guidance

Monitor for Reader View activation followed by unusual JavaScript execution on iOS Firefox instances, though such logging may not be enabled by default in most environments. From a network perspective, detection is difficult because the payload is generated client-side after page fetch. Security teams should educate users to be cautious when enabling Reader View on unfamiliar or untrusted sites. Organizations using threat intelligence feeds should monitor for reports of compromised news sites or malicious articles promoting Firefox for iOS Reader View usage. Endpoint detection and response (EDR) solutions on iOS may flag suspicious script execution, depending on visibility into WebKit process activity.

Why prioritize this

This vulnerability merits timely but not emergency patching. The MEDIUM severity score and requirement for user interaction keep it below critical or high-risk categories, but the infection vector (web-based, no special privileges) and the prevalence of Firefox for iOS make it a legitimate business risk. Prioritize this update after critical/high vulnerabilities but within a standard 30-day patch cycle. Organizations with strict mobile security policies or users frequently accessing sensitive sites should accelerate deployment.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects: (1) network-based attack vector requiring only a URL; (2) low attack complexity, as the exploit does not require race conditions or specific server configurations; (3) no privileges required; (4) user interaction mandatory (opening Reader View); (5) unchanged scope (confined to the app's sandbox); (6) low confidentiality and integrity impact (session hijacking, credential theft possible but limited by same-origin policy and app sandbox). The absence of availability impact and the user-interaction requirement prevent a higher score despite the logical severity of XSS vulnerabilities.

Frequently asked questions

Can this vulnerability be exploited on desktop Firefox?

No. This vulnerability is specific to Firefox for iOS and its Reader View implementation. Desktop Firefox versions (Windows, macOS, Linux) use a different rendering and template architecture and are not affected.

What happens if I don't update Firefox for iOS?

If you continue using Firefox for iOS prior to version 151.2, you remain at risk when using Reader View on untrusted or malicious websites. An attacker could steal session cookies, capture credentials, or redirect you to malware. Updating to 151.2 closes the template injection vector.

Is my data encrypted or backed up by Firefox if this is exploited?

Exploitation of this vulnerability allows arbitrary JavaScript execution within the Firefox process and its sandbox. An attacker could access data stored in that tab's session, cookies, and site-specific storage, but the iOS app sandbox generally isolates Firefox from other apps and system data. However, this does not mean your data is safe—sensitive information in active sessions or stored passwords could still be exposed.

How do I know if my device was compromised by this vulnerability?

There is no current widespread active exploitation reported (it is not on the CISA KEV list). If you suspect compromise, look for unusual app behavior, unexpected logins, or password changes on linked accounts. Updating to Firefox for iOS 151.2 immediately and reviewing your account security settings is the safest course of action. Consider a password reset if you frequently use Reader View on untrusted sites.

This analysis is based on the official CVE record and Mozilla advisory information available as of the publish date. Patch availability and version numbers are current as of the last update; verify against the official Mozilla Firefox for iOS release notes and security advisories before deployment. This explainer does not constitute legal or professional security advice; readers should consult with their own security teams and follow organizational change management and testing procedures before deploying patches to production environments. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).