CVE-2024-4367 PDF.js vulnerability | No advisory from Mozilla?
CVE-2024-4367 has been announced several days now with MITRE and CIS. There is also an issue/advisory on the github repo for PDF.js which appears that the fix has been merged into the master commit of PDF.js (https://github.com/advisories/GHSA-wgrm-67xf-hhpq).
The vulnerability is pretty serious and yet there is no Security Advisory from Mozilla on affected versions, etc. (https://www.mozilla.org/en-US/security/advisories/)
Is this normal and I am just being impatient?
Krejt Përgjigjet (4)
Hi, we don't have any insight into security issues. I guess it can land in version 126, which will be released may 14.
Vulnerabilities usually are not disclosed until fixed, but because PDF.js is a stand-alone component, its disclosure already came out while products that embed it -- like Firefox -- have not yet been updated.
Until someone provides a viable workaround (or permanent fix), it sounds as though the safest thing to do is to stop using the built-in PDF.js viewer. This article will get you to the relevant part of the Settings page: View PDF files using Firefox’s built-in viewer.
I haven't decided whether to do that. It's difficult to know when an exploit is actually being used in the wild and the odds of being attacked. Hopefully there will be some more tips soon since the next Firefox update isn't due until Tuesday.
Hi
I have reached out to the Mozilla Security team who were able to advise me that we did not consider the vulnerability to be severe enough to support an unplanned update, but the fix is part of our upcoming scheduled update that is due to land in the Release version of Firefox next week.
We do not believe that the exploit is public or has been used in known attacks, but if you are concerned you may rich to use the Beta version of Firefox which already has the fix applied.
Thank you.
> we did not consider the vulnerability to be severe enough to support an unplanned update
To add a little nuance, Paul is not contradicting calvin.tate's concern that the "vulnerability is pretty serious". It is—for PDF.js used on a website. As used in Firefox, the unintended script is opened in an unprivileged context that's more like opening a file:// url. In particular it is _not_ an XSS risk for the site you downloaded the PDF from: the address bar is a white lie that is less confusing to users than showing the real internal URL (Reader Mode does something similar).