Firefox iOS RTL Domain Rendering Issue in Link Preview

Vulnerability

Firefox for iOS versions prior to 151.1 incorrectly rendered specially crafted right-to-left (RTL) and internationalized domain names (IDNs) in link preview UI surfaces [1]. The bug, tracked as Bug 2029371, allowed a crafted RTL hostname to visually reorder portions of the displayed domain, causing the link preview to show a trusted origin when the actual destination was an attacker-controlled site [1].

Exploitation

An attacker can register a domain containing a crafted RTL override character sequence that visually reorders the domain string in the link preview. When a user hovers over or long-presses a link to such a domain in Firefox for iOS, the preview UI displays the manipulated domain appearance rather than the true hostname. No authentication or additional user interaction beyond the hover/long-press gesture is required [1].

Impact

A successful attack would cause a victim to perceive a link as pointing to a trusted site (e.g., "example.com") when it actually leads to an attacker-controlled domain. This could enable phishing or other social engineering attacks by tricking users into visiting malicious sites they otherwise would avoid. The impact is rated as low severity by Mozilla [1].

Mitigation

The vulnerability is fixed in Firefox for iOS 151.1, released on May 25, 2026 [1]. Users should update to this version or later via the App Store. There is no known workaround for older versions.