CVE-2024-4367 in 115.19.0esr - still vulnerable?
Hi, During some tests I found that FF 115.19.0esr can still execute arbitrary JS similarly to CVE-2024-4367. I’ve checked the versions and > 115.11esr should be patched. Any payload with ‘/JS’ taken from https://github.com/luigigubello/PayloadsAllThePDFs/tree/main will do. Since this is probably important – FontMatrix is *not* working (no JS), original PoC (https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf) is also *not* working. I also wasn’t able to call an external script and so far haven’t found any path to exploit it beyond an alertbox. However, it still bothers me a lot and I’d like to know whether it’s the correct, expected behavior with FF+pdf.js, is it a vulnerability, or maybe my browser was somehow corrupted or is using some other mechanism that’s not within your control (my settings? about:config?).
Steps to re-create: 1. Open file in notepad 2. Add ‘/OpenAction 99 0 R’ after ‘lang’ in ‘1 0 obj section’ 3. After ‘endobj’ add ‘99 0 obj <</Type /Action /S /JavaScript /JS (app.alert\(1\);)>>’ 4. Result – alertbox popping twice
Chosen solution
Reply from Mozilla: 'Yes, this is the expected behavior. The JS is executed in a sandbox. See here for a blog post describing JS in the PDF viewer: https://hacks.mozilla.org/2021/10/implementing-form-filling-and-accessibility-in-the-firefox-pdf-viewer/'.
Read this answer in context 👍 1All Replies (3)
Here's a helpful response for Chris:
Hi Chris,
It seems like you’re still encountering some unexpected behavior with FF 115.19.0esr in relation to CVE-2024-4367. Based on what you’ve described, it looks like the vulnerability should indeed be patched in versions later than 115.11esr, but you're still seeing some odd behavior.
From what you’ve tested, it seems like the exploitation vector you're testing with may be limited, especially since the original PoC and FontMatrix aren’t working as expected. The alert box popping twice could be a side effect of a different mechanism, perhaps from settings within the browser or some external configuration that’s still allowing the script to execute in some way.
If you haven’t already, I’d suggest double-checking the following:
Clear browser cache – sometimes older scripts or settings can linger and cause odd behavior. Check about:config – ensure no custom settings or extensions are interfering with JavaScript handling. Test in a fresh Firefox profile – this could help rule out any profile-specific issues or settings that might be causing this. It could also be helpful to verify that you're running the latest security updates for the browser. If the issue persists, it might be worth contacting Mozilla security to confirm if your testing method aligns with their expectations for the patch.
Hope this helps narrow things down a bit!
Best, Kera
Hi,
perhaps it would be better to ask this question on github => https://github.com/mozilla/pdf.js/issues
Chosen Solution
Reply from Mozilla: 'Yes, this is the expected behavior. The JS is executed in a sandbox. See here for a blog post describing JS in the PDF viewer: https://hacks.mozilla.org/2021/10/implementing-form-filling-and-accessibility-in-the-firefox-pdf-viewer/'.
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.