[NPM:GHSA-7JG2-JGV3-FMR4] Malicious PDF can inject JavaScript into PDF Viewer
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8, Firefox < 60 and PDF.js < 2.0.550.
Package | Affected Version |
---|---|
pkg:npm/pdfjs-dist | < 1.10.100 |
pkg:npm/pdfjs-dist | >= 2.0.0, < 2.0.550 |
Package | Fixed Version |
---|---|
pkg:npm/pdfjs-dist | = 1.10.100 |
pkg:npm/pdfjs-dist | = 2.0.550 |
- ID
- NPM:GHSA-7JG2-JGV3-FMR4
- Severity
- high
- URL
- https://github.com/advisories/GHSA-7jg2-jgv3-fmr4
- Published
-
2022-05-14T01:22:02
(2 years ago) - Modified
-
2024-05-28T20:43:54
(3 months ago) - Rights
- NPM Security Team
- Other Advisories
-
- ASA-201805-10
- DSA-4199-1
- ELSA-2018-1414
- ELSA-2018-1415
- FREEBSD:5AEFC41E-D304-4EC8-8C82-824F84F08244
- FREEBSD:DA459DBC-5586-11E9-ABD6-001B217B3468
- GLSA-201810-01
- MFSA-2018-11
- MFSA-2018-12
- RHSA-2018:1414
- RHSA-2018:1415
- SUSE-SU-2018:1319-1
- SUSE-SU-2018:1334-1
- SUSE-SU-2018:1334-2
- SUSE-SU-2018:2298-1
- SUSE-SU-2019:2872-1
- USN-3645-1
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:npm/pdfjs-dist | pdfjs-dist | < 1.10.100 | ||||
Fixed | pkg:npm/pdfjs-dist | pdfjs-dist | = 1.10.100 | ||||
Affected | pkg:npm/pdfjs-dist | pdfjs-dist | >= 2.0.0 < 2.0.550 | ||||
Fixed | pkg:npm/pdfjs-dist | pdfjs-dist | = 2.0.550 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |