CVE-2024-4367

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

References

Affected packages

Git / github.com/mozilla/pdf.js

Affected ranges

Type: GIT
Repo: https://github.com/mozilla/pdf.js
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

49b388101a53f1ff81390fab8336d02acf06a582

Affected versions

1.*

1.0.277

milestone-0.*

milestone-0.2

v0.*

v0.1.0

v0.3.459

v0.4.11

v0.5.5

v0.8.1181

v0.8.1334

v1.*

v1.0.1040

v1.0.1149

v1.0.2

v1.0.21

v1.0.277

v1.0.403

v1.0.473

v1.0.68

v1.0.712

v1.0.907

v1.1.1

v1.1.114

v1.1.215

v1.1.3

v1.1.366

v1.1.469

v1.10.88

v1.2.109

v1.3.88

v1.4.11

v1.4.20

v1.5.188

v1.6.210

v1.7.225

v1.8.170

v1.8.188

v1.9.426

v2.*

v2.0.943

v2.1.266

v2.10.377

v2.11.338

v2.12.313

v2.13.216

v2.14.305

v2.15.349

v2.16.105

v2.2.228

v2.3.200

v2.4.456

v2.5.207

v2.6.347

v2.7.570

v2.8.335

v2.9.359

v3.*

v3.0.279

v3.1.81

v3.10.111

v3.11.174

v3.2.146

v3.3.122

v3.4.120

v3.5.141

v3.6.172

v3.7.107

v3.8.162

v3.9.179

v4.*

v4.0.189

v4.0.269

v4.0.379

v4.1.392

Other

vundefined

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-4367.json"