Mozilla Foundation Security Advisory 2026-53

Security Vulnerabilities fixed in Firefox for iOS 151.2

Announced

June 1, 2026

Impact

high

Products

Firefox for iOS

Fixed in

Firefox for iOS 151.2

#CVE-2026-9308: Arbitrary JavaScript execution in Reader View due to wrong HTML replacement order

Reporter: Muneaki Nishimura
Impact: high

Description

Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution.

References

Bug 2039422

#CVE-2026-9309: Arbitrary JavaScript execution in internal pages via Reader View JSON-LD injection

Reporter: Muneaki Nishimura
Impact: high

Description

Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScript execution in an internal origin.

References

Bug 2036573

Firefox browsers

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

Solo

0DIN

Tabstack

About Mozilla

The Mozilla Manifesto

Get Involved

Blog