CVE-2026-53900

Vulnerability

A cookie injection vulnerability exists in Firefox for iOS prior to version 152.0. In the TemporaryDocument handling of PDF requests, cookies set on the initial PDF request are preserved across cross-origin HTTP redirects. This allows a malicious website to inject arbitrary cookies into requests destined for an unrelated target domain. The bug is tracked as Bug 2043204 and was reported by Muneaki Nishimura [1].

Exploitation

An attacker can host a malicious site that causes a PDF request to be made. By manipulating the redirect chain, the cookies that were set on the initial PDF request are preserved and sent to a different, unrelated domain. The attacker does not need to control the target domain; they only need to induce a cross-origin redirect from the PDF request [1].

Impact

Successful exploitation allows the attacker to inject arbitrary cookies into HTTP requests made to an arbitrary target domain. This could lead to session hijacking, CSRF attacks, or other cookie-based exploits against that domain. The impact is rated high by Mozilla [1].

Mitigation

The vulnerability is fixed in Firefox for iOS version 152.0, released on June 16, 2026. Users should update to this version or later. No workarounds are documented [1].