SB2026060158 - Two vulnerabilities in Mozilla Firefox for iOS

Description

This security bulletin contains information about 2 vulnerabilities.

1) Code Injection (CVE-ID: CVE-2026-9308)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary JavaScript.

The vulnerability exists due to improper neutralization of special elements in Reader View HTML template processing when rendering a malicious page in Reader View. A remote attacker can include a crafted placeholder string in page content to execute arbitrary JavaScript.

2) Code Injection (CVE-ID: CVE-2026-9309)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary JavaScript in an internal origin.

The vulnerability exists due to improper neutralization of special elements in Reader View JSON-LD metadata handling when rendering a malicious page in Reader View. A remote attacker can inject crafted markup through JSON-LD metadata to execute arbitrary JavaScript in an internal origin.

The injected markup can change Reader View behavior and leak sensitive URL parameters that are then used to access internal pages.

Remediation

Install update from vendor's website.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2026-53/
• https://bugzilla.mozilla.org/show_bug.cgi?id=2039422
• https://bugzilla.mozilla.org/show_bug.cgi?id=2036573