CVE-2026-13356 PUBLISHED

Interrupted navigation could allow address bar origin spoofing in Firefox for iOS

Assigner: mozilla
Reserved: 25.06.2026 Published: 06.07.2026 Updated: 07.07.2026

A malicious webpage could interrupt a pending navigation by enqueuing a synchronous JavaScript dialog, causing the browser UI to display the destination origin in the address bar while continuing to render attacker-controlled content. This vulnerability was fixed in Firefox for iOS 152.3.

Product Status

Vendor Mozilla
Product Firefox for iOS
Versions
  • unaffected from 152.3 to * (incl.)

Credits

  • Azza Tegar Naufal Ataullah

References