Stored XSS via PDFjs
HackerOne report #2512938 by h4x0r_dz
on 2024-05-20:
Report | Attachments | How To Reproduce
Summary
I Found CVE-2024-4367, a vulnerability in PDF.js, a JavaScript-based PDF viewer maintained by Mozilla. This vulnerability allows an attacker to execute arbitrary JavaScript code when a malicious PDF file is opened. Given that PDF.js is widely used in web applications and integrated into Firefox as its default PDF viewer, the impact of this vulnerability is significant.
Affected Versions
- PDF.js versions used by Firefox < 126
- All web and Electron applications using vulnerable versions of PDF.js (pdfjs-dist Node module)
Vulnerability Details
CVE-2024-4367 occurs due to a flaw in the glyph rendering process within PDF.js. Specifically, the issue arises when a JavaScript Function
object is created to optimize glyph rendering by pre-compiling path generation instructions. This process improperly handles the FontMatrix
array, allowing for arbitrary code injection.
Steps to Reproduce
-
Craft a Malicious PDF: Create a PDF file that includes a manipulated
FontMatrix
array with a string payload.Example
FontMatrix
:/FontMatrix [1 2 3 4 5 (0\); alert\('foobar')]
- Upload the PDF to the Target Application: go to https://gitlab.com/ and upload the poc.pdf file in the repo
-
Open the PDF in the Application: Once the PDF is opened, the injected JavaScript code (
alert('foobar')
) will be executed.
Proof of Concept (PoC)
Recommendations
Attachments:
- PoC PDF File
Impact
Impact
Exploiting this vulnerability allows arbitrary JavaScript execution with the following potential impacts:
- User Data Exposure: The attacker can access sensitive information within the context of the PDF viewer.
- Cross-Site Scripting (XSS): When integrated into web applications, this can lead to XSS attacks, compromising user accounts and data.
- Native Code Execution in Electron Apps: In Electron applications that do not properly sandbox JavaScript, this can lead to full native code execution.