A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Mozilla Foundation Security Advisory 2024-22
Security Vulnerabilities fixed in Firefox ESR 11511
Announced
May 14, 2024
Impact
high
Products
Firefox ESR
Fixed in
Firefox ESR 11511
...
Mozilla Foundation Security Advisory 2024-21
Security Vulnerabilities fixed in Firefox 126
Announced
May 14, 2024
Impact
high
Products
Firefox
Fixed in
Firefox 126
...
Mozilla Foundation Security Advisory 2024-23
Security Vulnerabilities fixed in Thunderbird 11511
Announced
May 15, 2024
Impact
high
Products
Thunderbird
Fixed in
Thunderbird 11511
...
CVE-2024-4367: Arbitrary JavaScript execution in PDFjs
A type check was missing when handling fonts in PDFjs, which would allow arbitrary JavaScript execution in the PDFjs context This vulnerability affects Firefox < 126, Firefox ESR < 11511, and Thunderbird < 11511
If pdfjs is used to load a malicious PDF, and PDFjs is configured with isEvalSuppor
FishyPDF
FishyPDF is a viewer and analyzer for inspecting suspicious PDF files
It is based heavily on Mozilla's PDFjs
with more secure defaults and some additional analysis features added
Code structure
Since this project is a modified version of the original PDFjs web viewer, some
of the code is hard to cleanly separate
The directory third_party/pdfjs/ contains a cop