CVE-2026-53899

Vulnerability

Firefox for iOS versions prior to 152.0 use partial domain matching when attaching cookies to PDF requests. Specifically, when a user opens a PDF link from a malicious site, the browser may attach cookies belonging to the target site to requests made to a suffix domain (e.g., attacker.example.com could receive cookies for example.com). This affects Firefox for iOS before version 152.0. [1]

Exploitation

An attacker hosts a malicious site on a suffix domain (e.g., evil.example.com) and tricks the user into opening a PDF link that originates from the target site (e.g., example.com). The browser's PDF handler incorrectly attaches cookies for the target domain to the request to the suffix domain, allowing the attacker to receive them. No additional user interaction beyond clicking the PDF link is required. [1]

Impact

Successful exploitation leads to the leakage of cookies from the target site to the attacker's suffix domain. These cookies may contain session tokens or authentication credentials, potentially allowing the attacker to impersonate the user on the target site or access sensitive data. The impact is rated high by Mozilla. [1]

Mitigation

The vulnerability is fixed in Firefox for iOS 152.0, released on June 16, 2026. Users should update their browsers to the latest version. There is no known workaround for affected versions. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. [1]