Arbitrary JavaScript Execution Vulnerability in Firefox for iOS
CVE-2026-9308

5.4MEDIUM

Key Information:

Vendor

Mozilla
Status
Firefox For iOS
Vendor
CVE Published:
1 June 2026

What is CVE-2026-9308?

A security flaw in Firefox for iOS allowed a crafted web page to replace content in its Reader View, using placeholder strings that could be substituted with JSON-LD data. This could lead to arbitrary execution of JavaScript, potentially exposing users to security risks. It highlights the importance of securing web browsers against malicious scripts. The issue was addressed in Firefox for iOS version 151.2, underscoring the need for users to keep their applications updated to safeguard against such vulnerabilities.

Affected Version(s)

Firefox for iOS 151.2

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2039422
https://www.mozilla.org/security/advisories/mfsa2026-53/

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muneaki Nishimura
.