CVE-2025-10859 is a medium-severity vulnerability affecting Mozilla Firefox for iOS versions prior to 143.1. The issue arises from improper handling of cookie storage for non-HTML temporary documents when browsing in Incognito (private) mode. Specifically, cookies set by non-HTML content in private tabs were incorrectly shared with normal browsing sessions. This flaw allows data that should remain isolated within private browsing sessions to persist and be accessible after all private tabs are closed, effectively breaking the privacy guarantees of Incognito mode. The vulnerability is rooted in a design or implementation flaw related to cookie storage isolation, categorized under CWE-359 (Exposure of Private Information Through Persistent Cookie). The CVSS v3.1 base score is 4.0, reflecting a low attack vector (local), low complexity, no privileges required, no user interaction, and limited confidentiality impact without affecting integrity or availability. No known exploits are reported in the wild, and no patches are linked yet, indicating this is a recently disclosed issue. The vulnerability specifically impacts Firefox for iOS, which uses a different rendering engine than desktop Firefox due to iOS platform restrictions, potentially complicating mitigation and patch deployment.

For European organizations, this vulnerability poses a privacy risk primarily to users who rely on Firefox for iOS for private browsing. Sensitive information such as session identifiers, authentication tokens, or other data stored in cookies during private browsing could be inadvertently exposed to normal browsing contexts after private tabs are closed. This could lead to unauthorized access to user sessions or leakage of confidential browsing data. While the impact is limited to confidentiality and does not affect integrity or availability, it undermines user trust in private browsing features. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) may face compliance risks if employees or customers use vulnerable versions of Firefox for iOS and private browsing is assumed to be secure. The local attack vector means exploitation requires control or access to the affected device, so the threat is higher in environments where devices may be shared, lost, or accessed by unauthorized individuals. The lack of user interaction and privileges required means the vulnerability could be exploited by malicious apps or scripts running on the device without user consent, increasing risk in environments with less controlled device usage.

European organizations should prioritize updating Firefox for iOS to version 143.1 or later once patches are available. Until then, users should be advised to avoid relying on private browsing mode for sensitive activities on Firefox for iOS. Device management policies should enforce app updates and restrict installation of untrusted applications that could exploit local vulnerabilities. Organizations should consider deploying Mobile Device Management (MDM) solutions to monitor and control browser versions and configurations on iOS devices. Additionally, educating users about the limitations of private browsing and encouraging the use of alternative secure browsers or privacy tools on iOS may reduce exposure. For highly sensitive environments, consider restricting use of Firefox for iOS or private browsing features until the vulnerability is resolved. Monitoring for unusual access patterns or session anomalies related to cookie reuse may help detect exploitation attempts. Finally, organizations should review cookie handling policies and consider implementing additional application-layer protections such as short-lived session tokens and multi-factor authentication to mitigate risks from potential cookie leakage.