CVE-2026-9309: Firefox for iOS Reader View HTML Injection & Parameter Leakage
Firefox for iOS Reader View had a vulnerability that failed to properly sanitize HTML tags embedded in JSON-LD metadata on web pages. An attacker could craft a malicious website that injects markup into Reader View, disrupting its normal behavior and extracting sensitive URL parameters—such as authentication tokens or session identifiers—that users might not realize were being exposed. In certain scenarios, this could allow an attacker to redirect those parameters toward internal endpoints, potentially enabling arbitrary JavaScript execution within a privileged origin. Mozilla fixed this issue in Firefox for iOS version 151.2.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScript execution in an internal origin. This vulnerability was fixed in Firefox for iOS 151.2.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9309 is a cross-site scripting (CWE-79) vulnerability in Firefox for iOS Reader View stemming from inadequate HTML escaping of JSON-LD metadata. Reader View processes structured data markup from web pages to extract and display article content in a simplified, ad-free format. When parsing JSON-LD metadata, the application failed to escape HTML entities, allowing an attacker to break out of the data context and inject arbitrary markup. This injected markup could manipulate Reader View's rendering behavior and, more critically, cause the leak of URL parameters present in the page's context. Because Reader View operates with elevated privileges relative to standard web content, parameters exposed through this mechanism could be directed to internal endpoints that would normally be inaccessible, opening a pathway to arbitrary script execution within an internal origin context.
Business impact
The vulnerability poses a moderate but meaningful risk to iOS users who regularly rely on Reader View for safe, distraction-free reading. An attacker could harvest sensitive data embedded in URLs—including session tokens, CSRF tokens, or tracking identifiers—without the user's explicit awareness. If those parameters are subsequently used to access internal endpoints, the compromise could extend beyond data theft to active code execution, potentially compromising user accounts or device security. For enterprises managing iOS devices through Mobile Device Management (MDM), this could serve as a foothold for lateral movement or privilege escalation, especially if users are authenticated to internal web applications.
Affected systems
Firefox for iOS versions prior to 151.2 are affected. The vulnerability does not impact Firefox on desktop or other mobile browsers. Users running version 151.2 or later are protected. Organizations should verify the Firefox for iOS version in use across their managed device fleet and ensure automatic updates are enabled.
Exploitability
The vulnerability requires user interaction—a victim must visit a malicious website where Reader View is activated (either manually or through automatic triggering). No authentication or special browser configuration is required. The attack surface is broad because Reader View is a standard feature available to all users, and activation is straightforward. However, the attacker must craft a specific payload targeting JSON-LD metadata, which requires moderate technical sophistication. The CVSS score of 5.4 (MEDIUM) reflects the requirement for user interaction and the absence of system-wide availability impact, though the potential for parameter leakage and internal endpoint access elevates the severity beyond a typical reflected XSS.
Remediation
Update Firefox for iOS to version 151.2 or later. This patch properly escapes HTML tags within JSON-LD metadata processing, preventing the injection and execution of attacker-controlled markup. Users should enable automatic app updates in the iOS App Store settings to receive security patches as soon as they are released. No configuration changes or workarounds are available; patching is the only mitigation.
Patch guidance
Install Firefox for iOS version 151.2 or later. Steps: 1) Open the iOS App Store. 2) Tap your profile icon (top-right). 3) Scroll to Firefox and check for an 'Update' button; if present, tap it. 4) Alternatively, enable 'Automatic Updates' in App Store settings (Settings > [Your Name] > App Store > App Updates) to receive patches automatically. 5) Verify the update completed by checking Settings > Firefox > Version (or equivalent within the app). If your organization manages iOS devices via MDM, deploy the updated version through your MDM platform or ensure that automatic updates are enforced for managed devices.
Detection guidance
Detection of exploitation after the fact is difficult without access to device logs. Organizations can monitor for: 1) Unusual access patterns to internal endpoints from iOS clients, particularly with unexpected URL parameters. 2) Web server logs showing requests from Firefox for iOS that include sensitive parameters being leaked to attacker-controlled domains. 3) User reports of Reader View behaving unexpectedly (e.g., garbled display, unexpected redirects). Proactive detection during the attack is limited; the most effective approach is ensuring timely deployment of version 151.2 to prevent exploitation.
Why prioritize this
While the CVSS score is moderate (5.4), the vulnerability merits priority patching due to the potential for parameter leakage and internal endpoint access, which could escalate to arbitrary code execution. The attack requires only user interaction—a low barrier—and Reader View is a widely-used feature. Organizations with BYOD policies or those managing iOS devices running older versions should prioritize this patch to close a pathway to credential theft and internal system compromise.
Risk score, explained
The CVSS v3.1 score of 5.4 reflects: Attack Vector (Network) indicating remote exploitability; Access Complexity (Low) meaning no special conditions are required; Privilege Required (None) as any unauthenticated user can exploit it; User Interaction (Required) since the victim must activate Reader View; Scope (Unchanged) as the impact is limited to the vulnerable component; Confidentiality (Low) due to parameter leakage; and Integrity (Low) reflecting the ability to inject and manipulate content. Availability is not impacted. The score appropriately captures a moderate-severity issue that requires user action but has potential for privilege escalation through internal endpoint access.
Frequently asked questions
Does this vulnerability affect Firefox on Android or desktop?
No. This vulnerability is specific to Firefox for iOS. Firefox on Android and desktop use different rendering engines and do not contain this Reader View implementation.
Can I disable Reader View to protect myself until I update?
Disabling Reader View would reduce immediate exposure, but it is not a complete mitigation. The safest approach is to update to version 151.2 as soon as possible. If you have not yet updated, avoiding malicious websites and being cautious when activating Reader View on untrusted pages helps reduce risk.
What is JSON-LD and why does Reader View use it?
JSON-LD (JSON for Linking Data) is a standard format for embedding structured metadata in web pages. Publishers use it to mark up article titles, authors, publication dates, and other content metadata. Reader View parses this metadata to extract and display articles cleanly. The vulnerability occurred because the app did not properly escape HTML when processing these metadata tags.
If my device is managed by an MDM platform, how will I receive the patch?
Your IT or mobile security team will typically deploy updated app versions through the MDM platform, or they will enforce automatic app updates. Check with your organization's IT department or MDM administrator for their Firefox for iOS update policy and timeline.
This analysis is provided for informational purposes and reflects information available as of the publication date. SEC.co does not guarantee the completeness or accuracy of third-party vendor advisories or patch availability. Organizations should verify patch status and applicability against their own device inventory and the official Firefox for iOS release notes. The absence of KEV (Known Exploited Vulnerability) status does not imply the vulnerability has not been exploited in the wild; organizations should remain vigilant. No exploit code or proof-of-concept is provided. Always test patches in a controlled environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9308MEDIUMFirefox for iOS Reader View Template Injection (XSS)
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide