CVE-2026-9309 Mozilla CVE debrief

Who should care

Organizations with mobile workforces using Firefox for iOS, security teams managing mobile browser configurations, and users who rely on Reader View for content consumption.

Technical summary

Firefox for iOS Reader View failed to properly escape HTML tags embedded in JSON-LD metadata. A malicious web page could supply crafted JSON-LD containing unescaped markup. When a user activated Reader View, the injected markup would execute in the Reader View context, altering its behavior and extracting sensitive URL parameters. Those parameters could then be used to reach internal browser pages, ultimately permitting arbitrary JavaScript execution in an internal origin. The vulnerability is classified as CWE-79 and scored CVSS 3.1 5.4 (Medium).

Defensive priority

medium

Recommended defensive actions

• Upgrade Firefox for iOS to version 151.2 or later.
• If upgrade is delayed, avoid using Reader View on untrusted or suspicious websites.
• Monitor for unexpected internal-page navigation or parameter leakage in Firefox for iOS logs.
• Review mobile device management policies to enforce minimum browser versions.

Evidence notes

The NVD record lists CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N and CWE-79 (Improper Neutralization of Input During Web Page Generation). Mozilla's security advisory MFSA2026-53 and Bugzilla bug 2036573 are cited as primary sources.

Official resources