GHSA-7jg2-jgv3-fmr4

Suggest an improvement
Source
https://github.com/advisories/GHSA-7jg2-jgv3-fmr4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7jg2-jgv3-fmr4/GHSA-7jg2-jgv3-fmr4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7jg2-jgv3-fmr4
Aliases
Published
2022-05-14T01:22:02Z
Modified
2024-05-28T21:12:18.151577Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Malicious PDF can inject JavaScript into PDF Viewer
Details

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8, Firefox < 60 and PDF.js < 2.0.550.

References

Affected packages

npm / pdfjs-dist

Package

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.0.550

npm / pdfjs-dist

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.100