Mozilla Firefox: Four Vulnerabilities Disclosed Across JavaScript Engine and iOS Reader View
Key findings • Four distinct vulnerabilities in Mozilla Firefox disclosed between June 1-2, 2026. • Two critical vulnerabilities found in the JavaScript Engine's JIT compilation and graphics …
Key findings
- Four distinct vulnerabilities in Mozilla Firefox disclosed between June 1-2, 2026.
- Two critical vulnerabilities found in the JavaScript Engine's JIT compilation and graphics text components.
- Two medium-severity vulnerabilities affect Firefox for iOS Reader View, related to HTML escaping and placeholder substitution.
- Patches for all disclosed vulnerabilities are available in Firefox 151.0.3 and the latest Firefox for iOS.
- No reports of active exploitation in the wild were mentioned in the disclosures.
Mozilla has disclosed a batch of four vulnerabilities affecting its Firefox browser, with patches rolling out in Firefox 151.0.3. The disclosures, spanning June 1st and 2nd, 2026, highlight issues in both the core JavaScript engine and the Reader View functionality on iOS.
Two of the vulnerabilities stem from the JavaScript Engine's Just-In-Time (JIT) compilation component. CVE-2026-10702 points to a JIT miscompilation issue, while CVE-2026-10701 identifies incorrect boundary conditions within the Graphics: Text component. Both of these issues were resolved in the latest Firefox update, underscoring the ongoing efforts to maintain the security and stability of Mozilla's core rendering and scripting technologies.
The remaining two vulnerabilities specifically target the Firefox for iOS application, particularly its Reader View feature. CVE-2026-9309 describes a flaw where Reader View did not properly escape HTML tags within JSON-LD metadata. This could allow a malicious webpage to inject markup, alter Reader View behavior, and potentially leak sensitive URL parameters. These parameters could then be exploited to access internal pages, leading to the possibility of arbitrary JavaScript execution within an inter-frame context.
Similarly, CVE-2026-9308 also affects the Firefox for iOS Reader View. This vulnerability arose from the feature replacing page content in its HTML template before other internal placeholders were processed. A malicious page could exploit this by including a placeholder string that would later be substituted with JSON-LD data, again creating a risk of arbitrary JavaScript execution. Both of these iOS-specific issues have been fixed in the latest version of Firefox for iOS.
While the disclosures do not indicate any reports of these vulnerabilities being exploited in the wild, their presence across different components of the Firefox ecosystem warrants attention. The JavaScript engine vulnerabilities, in particular, could have far-reaching implications if exploited, potentially allowing for code execution or other malicious activities. The iOS-specific flaws highlight the need for continuous security auditing of platform-specific features.
Users of Mozilla Firefox are strongly advised to update to version 151.0.3 or later to ensure they are protected against these newly disclosed threats. Maintaining up-to-date software is a critical step in safeguarding against potential exploits and ensuring a secure browsing experience.