CVE-2026-9308

Vulnerability

Firefox for iOS Reader View contains a flaw in its HTML template processing logic where page content is replaced before internal placeholders. This incorrect order allows a malicious webpage to include a specific placeholder string that is subsequently substituted with JSON-LD data, leading to an injection vulnerability [1]. This issue affects versions of Firefox for iOS prior to 151.2 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious webpage containing a specially formatted placeholder string. When a user views this page using the Reader View feature in an affected version of Firefox for iOS, the browser processes the template incorrectly, causing the injected JSON-LD data to be interpreted as executable code within the context of the Reader View [1].

Impact

Successful exploitation of this vulnerability allows an attacker to achieve arbitrary JavaScript execution within the context of the Reader View [1]. This compromise can potentially lead to unauthorized actions or data access within the browser's internal environment, depending on the privileges associated with the Reader View origin.

Mitigation

This vulnerability was addressed in Firefox for iOS 151.2, released on June 1, 2026 [1]. Users are advised to update their application to this version or later to remediate the security risk.