CVE-2026-53899 PUBLISHED

Cross-origin cookies could be leaked when opening a PDF link

Assigner: mozilla
Reserved: 11.06.2026 Published: 16.06.2026 Updated: 16.06.2026

Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.

Product Status

Vendor	Mozilla
Product	Firefox for iOS
Versions	unaffected from 152.0 to * (incl.)

Credits

Muneaki Nishimura

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2042909
https://www.mozilla.org/security/advisories/mfsa2026-56/