CVE-2024-4367: Arbitrary JavaScript Execution Vulnerability in PDF.js Affecting Firefox and Thunderbird
Mozilla recently announced the discovery of a security vulnerability, identified as CVE-2024-4367, affecting Firefox, Firefox ESR, and Thunderbird versions prior to 126, 115.11, and 115.11 respectively. The issue lies in the handling of fonts within the PDF.js library, where a missing type check could lead to the execution of arbitrary JavaScript code in the PDF.js context. In this post, we will take a closer look at the vulnerability's details, provide an example of a possible exploit, and discuss mitigation steps for affected users.
Background: PDF.js
PDF.js is a popular open-source library developed by Mozilla to display Portable Document Format (PDF) files within web browsers without requiring any additional plugins or software. The library, which is implemented in JavaScript and HTML5, is integrated into Firefox by default and can also be used in other browser environments.
- Project's GitHub Repository: https://github.com/mozilla/pdf.js
- Official Website: https://mozilla.github.io/pdf.js/
Vulnerability Details
The vulnerability CVE-2024-4367 was discovered in PDF.js due to a missing type check when handling font data within the library. By crafting a malicious PDF file containing JavaScript code and convincing an unsuspecting user to open it in an affected version of Firefox or Thunderbird, an attacker could exploit this vulnerability to execute arbitrary JavaScript in the context of the PDF.js library. This could lead to leakage of sensitive information, such as cookies, or even total control of the affected system.
When rendering font data, PDF.js parses the embedded font data and reads properties such as FontName and FullName from the font's Cmap and name tables. However, these properties should be represented as strings, but the missing type check allows for arbitrary JavaScript code execution if an attacker sets these properties to JavaScript objects with a custom toString method.
Consider the following example
// Malicious font data
{
...
"Cmap" {
...
},
"name": [
{
"name": "FontName",
"value": {
"toString": function() {
// Arbitrary JavaScript code to be executed
return "Victim - You've been hacked!";
}
}
},
...
],
...
}
In this example, the malicious font data sets the FontName value to a JavaScript object with a custom toString() method. Since there is no type check in place when reading the FontName property, PDF.js will execute the arbitrary JavaScript code within the toString() method when attempting to render the font.
Thunderbird (before 115.11)
This vulnerability affects users of the aforementioned software on all desktop platforms, including Windows, macOS, and Linux.
Mitigation Steps
To protect yourself from potential exploitation, it is crucial to update your Firefox, Firefox ESR, or Thunderbird to the latest available version that contains the patch for CVE-2024-4367.
Follow the steps below for each software
1. Firefox: Click on the three horizontal bars in the browser's upper right corner, choose "Help," and then "About Firefox." The browser will automatically check for updates and install the latest version (126 or later) if available.
2. Firefox ESR: Similar to the regular Firefox update process, click on the three horizontal bars, choose "Help," and then "About Firefox ESR." The browser will automatically check for updates and install the latest version (115.11 or later) if available.
3. Thunderbird: Open Thunderbird and click on the three horizontal bars in the upper right corner. Choose "Help" and then "About Thunderbird." The software will automatically check for updates and install the latest version (115.11 or later) if available.
Remember to restart your browser or email client after installing the updates to ensure that the patch is properly applied.
Conclusion
CVE-2024-4367 is a serious security vulnerability within PDF.js that could allow arbitrary JavaScript execution when rendering maliciously crafted fonts. Users of affected versions of Firefox, Firefox ESR, and Thunderbird are advised to update to the latest software version to protect themselves from potential exploitation. As always, exercise caution when opening files from unknown sources and be vigilant about keeping your software up-to-date.
Timeline
Published on: 05/14/2024 18:15:12 UTC
Last modified on: 06/10/2024 17:16:33 UTC