Cybersecurity: PDF.js Can Execute Malicious Code!

The JavaScript library for PDF visualization developed by Mozilla, known as PDF.js, is at the center of a rather concerning new security discovery! A flaw in the font rendering code allows an attacker to execute arbitrary JavaScript simply by opening a malicious PDF. And beware, this affects all applications using PDF.js, including Firefox, some code editors, and file browsers. Yikes!

Essentially, when PDF.js displays a special font, it converts the glyph descriptions into instructions for drawing those glyphs. However, a malicious hacker can inject their own code into the font description, resulting in the execution of this code by the browser.

The vulnerability, labeled CVE-2024-4367, thus relies on manipulating the font rendering commands. The transform command using fontMatrix is exploited to insert JavaScript code, and then PDF.js dynamically compiles the font descriptions to optimize performance. Normally, this array contains only numbers; however, this flaw allows the injection of strings. By inserting JavaScript code into this array, it is possible to trigger the code during font rendering.

A well-crafted exploit could enable various attacks such as arbitrary code execution, data theft, or even complete system takeover via XSS attacks or native code execution. The vulnerability currently affects PDF.js versions lower than 4.2.67.

According to researchers at Codean Labs, this vulnerability affects not only Firefox users (<126) but also many web and Electron-based applications that indirectly use PDF.js for preview functionality. They also point out that this flaw exploits a specific part of the font rendering code, a segment developers should scrutinize carefully.

In short, make sure to update PDF.js to a version higher than 4.2.67 and update your tools to versions equal to or higher than Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11.

Mohamed SAKHRI
Mohamed SAKHRI

I'm the creator and editor-in-chief of Tech To Geek. Through this little blog, I share with you my passion for technology. I specialize in various operating systems such as Windows, Linux, macOS, and Android, focusing on providing practical and valuable guides.

Articles: 1310

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *