CVE-2026-9309

Vulnerability

Firefox for iOS Reader View failed to properly escape HTML tags within JSON-LD metadata [1]. This flaw allows a malicious webpage to inject arbitrary markup that alters the behavior of the Reader View component, specifically by manipulating how internal placeholders and metadata are processed [1][2].

Exploitation

An attacker must entice a user to visit a malicious webpage using Firefox for iOS. Once the page is loaded, the attacker leverages the improperly sanitized JSON-LD metadata to inject malicious markup, which triggers the leakage of sensitive URL parameters when the Reader View is invoked [1].

Impact

Successful exploitation allows an attacker to leak sensitive URL parameters, which can subsequently be used to access internal pages. This process may result in the execution of arbitrary JavaScript within an internal origin, leading to a compromise of the browser's internal security context [1].

Mitigation

This vulnerability was addressed in Firefox for iOS version 151.2, released on June 1, 2026 [1]. Users are advised to update their browser to this version or later to mitigate the risk of exploitation.