PatchSiren cyber security CVE debrief
CVE-2026-9308 Mozilla CVE debrief
A cross-site scripting (XSS) vulnerability in Firefox for iOS Reader View allowed malicious pages to inject arbitrary JavaScript through template placeholder substitution. The root cause was an ordering issue in the Reader View HTML template processing: page content was substituted before internal placeholders were replaced, enabling attacker-controlled placeholder strings to be later populated with JSON-LD data and executed as script. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Mozilla fixed this in Firefox for iOS 151.2. The CVSS 3.1 score of 5.4 (Medium) reflects network attack vector, low attack complexity, no privileges required, user interaction required, and unchanged scope with low impacts to confidentiality and integrity. No known exploitation in ransomware campaigns has been documented.
- Vendor
- Mozilla
- Product
- Firefox for iOS
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations with iOS device fleets using Firefox for browsing, mobile security teams managing browser configurations, and users relying on Reader View for content consumption should prioritize updating to the patched version.
Technical summary
Firefox for iOS Reader View processed HTML templates by substituting page content prior to replacing internal placeholders. A malicious webpage could embed a placeholder string matching the internal format. When Reader View later substituted JSON-LD metadata into remaining placeholders, the attacker-controlled content could be interpreted as executable JavaScript rather than sanitized text. This constituted a stored-like XSS condition within the Reader View rendering context, with execution occurring in the browser's WebView. The fix in version 151.2 corrected the template processing order to sanitize or isolate user content before internal placeholder resolution.
Defensive priority
medium
Recommended defensive actions
- Update Firefox for iOS to version 151.2 or later to remediate this vulnerability.
- For managed iOS deployments, verify app update policies enforce minimum version 151.2 for Firefox.
- Review web content filtering controls for iOS devices that may delay or block browser updates.
- Monitor for anomalous JavaScript execution in Reader View contexts if updates cannot be immediately applied.
Evidence notes
The vulnerability description and fix version are sourced from the official CVE record and NVD entry. The CWE-79 classification and CVSS vector are drawn from NVD metadata. Mozilla's Bugzilla entry and security advisory provide vendor confirmation of the fix in Firefox for iOS 151.2.
Official resources
Mozilla disclosed this vulnerability via its security advisory program and Bugzilla tracking. The CVE was published on June 1, 2026, with a subsequent modification to the record on the same day.