Assigner | mozilla |
Reserved | 2024-04-30 |
Published | 2024-05-14 |
Updated | 2024-06-04 |
Description
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Problem types
Arbitrary JavaScript execution in PDF.js
Product status
Credits
Thomas Rinsma of Codean Labs
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
https://www.mozilla.org/security/advisories/mfsa2024-21/
https://www.mozilla.org/security/advisories/mfsa2024-22/
https://www.mozilla.org/security/advisories/mfsa2024-23/