Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

CVE-2024-4367 PDF.js vulnerability | No advisory from Mozilla?

  • 4 답장
  • 1 이 문제를 만남
  • 1 보기
  • 최종 답변자: dveditz

more options

CVE-2024-4367 has been announced several days now with MITRE and CIS. There is also an issue/advisory on the github repo for PDF.js which appears that the fix has been merged into the master commit of PDF.js (https://github.com/advisories/GHSA-wgrm-67xf-hhpq).

The vulnerability is pretty serious and yet there is no Security Advisory from Mozilla on affected versions, etc. (https://www.mozilla.org/en-US/security/advisories/)

Is this normal and I am just being impatient?

CVE-2024-4367 has been announced several days now with MITRE and CIS. There is also an issue/advisory on the github repo for PDF.js which appears that the fix has been merged into the master commit of PDF.js (https://github.com/advisories/GHSA-wgrm-67xf-hhpq). The vulnerability is pretty serious and yet there is no Security Advisory from Mozilla on affected versions, etc. (https://www.mozilla.org/en-US/security/advisories/) Is this normal and I am just being impatient?

모든 댓글 (4)

more options

Hi, we don't have any insight into security issues. I guess it can land in version 126, which will be released may 14.

more options

Vulnerabilities usually are not disclosed until fixed, but because PDF.js is a stand-alone component, its disclosure already came out while products that embed it -- like Firefox -- have not yet been updated.

Until someone provides a viable workaround (or permanent fix), it sounds as though the safest thing to do is to stop using the built-in PDF.js viewer. This article will get you to the relevant part of the Settings page: View PDF files using Firefox’s built-in viewer.

I haven't decided whether to do that. It's difficult to know when an exploit is actually being used in the wild and the odds of being attacked. Hopefully there will be some more tips soon since the next Firefox update isn't due until Tuesday.

more options

Hi

I have reached out to the Mozilla Security team who were able to advise me that we did not consider the vulnerability to be severe enough to support an unplanned update, but the fix is part of our upcoming scheduled update that is due to land in the Release version of Firefox next week.

We do not believe that the exploit is public or has been used in known attacks, but if you are concerned you may rich to use the Beta version of Firefox which already has the fix applied.

Thank you.

more options

> we did not consider the vulnerability to be severe enough to support an unplanned update

To add a little nuance, Paul is not contradicting calvin.tate's concern that the "vulnerability is pretty serious". It is—for PDF.js used on a website. As used in Firefox, the unintended script is opened in an unprivileged context that's more like opening a file:// url. In particular it is _not_ an XSS risk for the site you downloaded the PDF from: the address bar is a white lie that is less confusing to users than showing the real internal URL (Reader Mode does something similar).