[NPM:GHSA-7JG2-JGV3-FMR4] Malicious PDF can inject JavaScript into PDF Viewer

Severity High

Affected Packages 2

Fixed Packages 2

CVEs 1

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8, Firefox < 60 and PDF.js < 2.0.550.

Package	Affected Version
pkg:npm/pdfjs-dist	< 1.10.100
pkg:npm/pdfjs-dist	>= 2.0.0, < 2.0.550

Package	Fixed Version
pkg:npm/pdfjs-dist	= 1.10.100
pkg:npm/pdfjs-dist	= 2.0.550

ID

NPM:GHSA-7JG2-JGV3-FMR4

Severity

high

URL

https://github.com/advisories/GHSA-7jg2-jgv3-fmr4

Published

2022-05-14T01:22:02
(2 years ago)

Modified

2024-05-28T20:43:54
(3 months ago)

Rights

NPM Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-5158
			https://access.redhat.com/errata/RHSA-2018:1414
			https://access.redhat.com/errata/RHSA-2018:1415
			https://bugzilla.mozilla.org/show_bug.cgi?id=1452075
			https://lists.debian.org/debian-lts-announce/2018/05/msg00007.html
			https://security.gentoo.org/glsa/201810-01
			https://www.debian.org/security/2018/dsa-4199
			http://www.securityfocus.com/bid/104136
			http://www.securitytracker.com/id/1040896
			https://github.com/mozilla/pdf.js/pull/9659
			https://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97
			https://usn.ubuntu.com/3645-1
			https://www.mozilla.org/security/advisories/mfsa2018-11
			https://www.mozilla.org/security/advisories/mfsa2018-12
			https://github.com/advisories/GHSA-7jg2-jgv3-fmr4

Type	Package URL	Name / Product	Version
Affected	pkg:npm/pdfjs-dist	pdfjs-dist	< 1.10.100
Fixed	pkg:npm/pdfjs-dist	pdfjs-dist	= 1.10.100
Affected	pkg:npm/pdfjs-dist	pdfjs-dist	>= 2.0.0 < 2.0.550
Fixed	pkg:npm/pdfjs-dist	pdfjs-dist	= 2.0.550

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date