Security Vulnerability in PDF.js used by DearFlip JS Flipbook (CVE-2024-4367 & CVE-2024-34342)

[ohm-meter]

Security Advisory: Vulnerability in PDF.js used by DearFlip JS Flipbook

Overview

The DearFlip JS Flipbook module depends on the PDF.js library, which is affected by two critical vulnerabilities: CVE-2024-4367 and CVE-2024-34342. These issues stem from a missing type check when handling fonts in PDF.js, leading to arbitrary JavaScript execution within the hosting domain context.

Impact

If a malicious PDF is loaded using PDF.js, and the configuration option isEvalSupported is set to true (default setting), an attacker can execute unrestricted, attacker-controlled JavaScript. This can result in a complete compromise of the application’s domain context.

The vulnerabilities affect:

• Firefox < 126
• Firefox ESR < 115.11
• Thunderbird < 115.11

Since DearFlip bundles PDF.js, any environment using DearFlip is potentially exposed if the vulnerable version of PDF.js is present.

Severity

Critical

Recommendation

Update PDF.js to a patched version that includes fixes for CVE-2024-4367 and CVE-2024-34342. Ensure that DearFlip is updated to bundle the latest secure release of PDF.js.

References

• NVD: CVE-2024-4367
• GitHub PoC: CVE-2024-4367

[devzom]

bump, really important to fix it

[jamminjames]

Why no response to this? Seems like a critical issue!

[deepak-ghimire]

We have included a customized version for pdf.js 4.10 in version 1.7.36. commit: c210fb2
That should fix the vulnerability issue