Headline
GHSA-wgrm-67xf-hhpq: PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
Impact
If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported
set to true
(which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Patches
The patch removes the use of eval
:
https://github.com/mozilla/pdf.js/pull/18015
Workarounds
Set the option isEvalSupported
to false
.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
Package
npm pdfjs-dist (npm)
Affected versions
<= 4.1.392
Patched versions
4.2.67
Description
Impact
If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Patches
The patch removes the use of eval:
mozilla/pdf.js#18015
Workarounds
Set the option isEvalSupported to false.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
References
- GHSA-wgrm-67xf-hhpq
- mozilla/pdf.js#18015
- mozilla/pdf.js@85e64b5
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
calixteman published to mozilla/pdf.js
May 6, 2024
Published to the GitHub Advisory Database
May 7, 2024
Reviewed
May 7, 2024
Last updated
May 7, 2024