CVE-2024-4367: 
JavaScript vulnerability analysis and mitigation

A type check vulnerability (CVE-2024-4367) was discovered in PDF.js that allows arbitrary JavaScript execution in the PDF.js context. The vulnerability affects Firefox versions before 126, Firefox ESR versions before 115.11, and Thunderbird versions before 115.11. The issue was discovered by Thomas Rinsma of Codean Labs and was publicly disclosed on May 14, 2024 (Mozilla Advisory).

The vulnerability stems from a missing type check when handling fonts in PDF.js, specifically during the glyph path compilation process involving Type 1 fonts. The issue occurs in the FontFaceObject.getPathGenerator method where font matrix values from PDF dictionaries are not properly validated before being used in JavaScript code generation. This vulnerability requires isEvalSupported to be true, which is the default setting (Github Advisory, Bugzilla).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the PDF.js context, potentially enabling them to spy on user activity, trigger downloads (including file:// URLs), and leak PDF file paths. In web applications using PDF.js, this could lead to stored XSS attacks on the respective page's origin. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability has been fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. For PDF.js library users, the fix is available in version 4.2.67. The fix involves implementing proper type validation for font matrix values before they are used in JavaScript code generation (Mozilla Advisory, Debian Advisory).