CVE-2023-33866: 
Foxit PDF Reader vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2023-33866) was discovered in the JavaScript engine of Foxit Software's PDF Reader, version 12.1.2.15332. The vulnerability was disclosed on July 19, 2023, and affects the PDF Reader's handling of form elements in its JavaScript implementation (Talos Report).

The vulnerability exists in the way Foxit Reader handles certain events of form elements, specifically during the OnBlur event processing. When objects associated with pages are prematurely deleted, it can trigger the reuse of previously freed memory. The issue occurs when a callback function is assigned to an OnBlur action for a field, which is triggered by setFocus calls. The deletePages function call in the event handler frees objects while additional setFocus calls are queued in the event loop, leading to a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Report).

The vulnerability can lead to arbitrary code execution on the targeted system. Since additional JavaScript code can be executed between object free and reuse, freed memory could be put under attacker control. With careful memory layout manipulation, this can lead to memory corruption and ultimately arbitrary code execution (Talos Report).

Foxit has released patches to address this vulnerability. Users should update their Foxit Reader installations using the patches available at the official Foxit download pages (Talos Report).