CVE-2025-10859 is a vulnerability identified in Mozilla Firefox for iOS versions earlier than 143.1, involving improper cookie storage handling. Specifically, cookie storage for non-HTML temporary documents was shared incorrectly with normal browsing content. This flaw allows information from private browsing (Incognito mode) tabs to escape isolation and be accessible outside the private session, even after the user closes all private tabs. The issue stems from a failure to segregate cookie storage contexts properly, violating the expected privacy guarantees of Incognito mode. The vulnerability is classified under CWE-359 (Exposure of Private Information Through Persistent Cookie), indicating a design weakness in managing cookie persistence and isolation. The CVSS 3.1 base score is 4.0 (medium severity), with vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack requires local access (local vector), low complexity, no privileges or user interaction, and impacts confidentiality only. No integrity or availability impacts are noted. No known exploits have been reported in the wild, and no official patches are linked yet, though the fixed version is identified as Firefox for iOS 143.1 or later. This vulnerability compromises user privacy by leaking data from private tabs, which could expose sensitive browsing information. It is particularly relevant for users relying on Firefox’s private browsing for confidentiality on iOS devices. The issue highlights the importance of strict cookie and session isolation in browsers to maintain privacy boundaries.

For European organizations, the primary impact is the potential leakage of sensitive or confidential browsing information from private tabs on Firefox for iOS devices. This could lead to exposure of browsing habits, session tokens, or other private data that users expect to remain isolated in Incognito mode. Sectors such as finance, legal, healthcare, and government, where privacy is paramount, may face increased risk of data leakage through compromised private browsing sessions. Although the vulnerability does not allow code execution or system compromise, the breach of confidentiality could facilitate targeted social engineering, profiling, or unauthorized data collection. The impact is limited to devices running vulnerable Firefox for iOS versions and requires local access, so remote exploitation or large-scale attacks are unlikely. However, the widespread use of iOS devices and Firefox in Europe means many users could be affected if they do not update promptly. The absence of known exploits reduces immediate risk but does not eliminate the threat of future exploitation. Organizations with BYOD policies or mobile workforces should be particularly vigilant to prevent inadvertent data leaks via this vulnerability.

1. Update Firefox for iOS to version 143.1 or later as soon as the patch is available to ensure the vulnerability is remediated. 2. Until the patch is applied, advise users to avoid using private browsing mode on Firefox for iOS for sensitive activities or confidential sessions. 3. Implement mobile device management (MDM) policies to enforce browser updates and restrict installation of outdated or vulnerable app versions. 4. Monitor network traffic and endpoint logs for unusual cookie or session data transmissions that could indicate leakage. 5. Educate users on the limitations of private browsing modes and the importance of applying security updates promptly. 6. Consider alternative secure browsing solutions or hardened browsers for sensitive use cases on iOS devices. 7. Regularly audit and review browser configurations and privacy settings to ensure compliance with organizational security policies. 8. Coordinate with Mozilla security advisories and subscribe to vulnerability notifications to stay informed about patches and exploit developments.