CVE-2021-21797: 
Nitro Pro vulnerability analysis and mitigation

An exploitable double-free vulnerability (CVE-2021-21797) exists in the JavaScript implementation of Nitro Pro PDF. The vulnerability was discovered and disclosed in October 2021. A specially crafted document can cause a reference to a timeout object to be stored in two different places. When closed, the document will result in the reference being released twice. This vulnerability affects Nitro Pro versions 13.31.0.605 and 13.33.2.645 (Talos Report).

The vulnerability occurs in the JavaScript implementation when handling timeout objects. When the application initializes its JavaScript plugin using Mozilla's SpiderMonkey, it creates objects and classes to expose PDF automation points. The issue arises when a timeout object's private data is registered with both the HFT Extension Manager and stored in a global array, without proper reference counting. Upon document closure, this same reference can be freed twice - once by the JSTimeOutDestructor function and again when cleaning up the global array. The vulnerability has a CVSS v3.0 score of 8.8 (HIGH) with vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Report).

This vulnerability can lead to code execution under the context of the application. An attacker who successfully exploits this vulnerability could execute arbitrary code with the same privileges as the Nitro Pro PDF application (Talos Report, NVD).

Users are encouraged to update to the latest version of Nitro Pro PDF that contains fixes for these issues. Additionally, users can mitigate the vulnerability by disabling JavaScript support in the software's settings (Vuln Spotlight).