Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

CVE-2024-4367 PDF.js vulnerability | No advisory from Mozilla?

  • 4 replies
  • 1 has this problem
  • 229 views
  • Last reply by dveditz

more options

CVE-2024-4367 has been announced several days now with MITRE and CIS. There is also an issue/advisory on the github repo for PDF.js which appears that the fix has been merged into the master commit of PDF.js (https://github.com/advisories/GHSA-wgrm-67xf-hhpq).

The vulnerability is pretty serious and yet there is no Security Advisory from Mozilla on affected versions, etc. (https://www.mozilla.org/en-US/security/advisories/)

Is this normal and I am just being impatient?

CVE-2024-4367 has been announced several days now with MITRE and CIS. There is also an issue/advisory on the github repo for PDF.js which appears that the fix has been merged into the master commit of PDF.js (https://github.com/advisories/GHSA-wgrm-67xf-hhpq). The vulnerability is pretty serious and yet there is no Security Advisory from Mozilla on affected versions, etc. (https://www.mozilla.org/en-US/security/advisories/) Is this normal and I am just being impatient?

All Replies (4)

more options

Hi, we don't have any insight into security issues. I guess it can land in version 126, which will be released may 14.

more options

Vulnerabilities usually are not disclosed until fixed, but because PDF.js is a stand-alone component, its disclosure already came out while products that embed it -- like Firefox -- have not yet been updated.

Until someone provides a viable workaround (or permanent fix), it sounds as though the safest thing to do is to stop using the built-in PDF.js viewer. This article will get you to the relevant part of the Settings page: View PDF files using Firefox’s built-in viewer.

I haven't decided whether to do that. It's difficult to know when an exploit is actually being used in the wild and the odds of being attacked. Hopefully there will be some more tips soon since the next Firefox update isn't due until Tuesday.

more options

Hi

I have reached out to the Mozilla Security team who were able to advise me that we did not consider the vulnerability to be severe enough to support an unplanned update, but the fix is part of our upcoming scheduled update that is due to land in the Release version of Firefox next week.

We do not believe that the exploit is public or has been used in known attacks, but if you are concerned you may rich to use the Beta version of Firefox which already has the fix applied.

Thank you.

more options

> we did not consider the vulnerability to be severe enough to support an unplanned update

To add a little nuance, Paul is not contradicting calvin.tate's concern that the "vulnerability is pretty serious". It is—for PDF.js used on a website. As used in Firefox, the unintended script is opened in an unprivileged context that's more like opening a file:// url. In particular it is _not_ an XSS risk for the site you downloaded the PDF from: the address bar is a white lie that is less confusing to users than showing the real internal URL (Reader Mode does something similar).