Arbitrary JavaScript Execution Vulnerability in Firefox

CVE-2024-4367

Currently unrated 🤨

Key Information

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 14 May 2024

Badges

🔥 No. 1 Trending😄 Trended👾 Exploit Exists🔴 Public PoC📰 News Worthy

Summary

A critical vulnerability, CVE-2024-4367, has been discovered in Firefox, affecting versions <126 as well as Thunderbird <115.11. The vulnerability allows for arbitrary JavaScript execution in the PDF.js context, impacting not only Firefox users but also web- and Electron-based applications that use PDF.js for preview functionality. Exploiting this vulnerability can lead to an attacker executing remote code, which could result in data leaks, malicious actions, or even account takeovers in affected applications. The best mitigation is to update to PDF.js version 4.2.67 or higher, with wrapper libraries like react-pdf also issuing patched versions. Setting the PDF.js setting isEvalSupported to false provides a simple workaround, and a strict content-security policy can also prevent the vulnerability. The issue was disclosed to Mozilla on April 26, 2024, and a fix was released on April 29, with updated versions of Firefox, Firefox ESR, and Thunderbird released on May 14 to include the fixed version of PDF.js.

Affected Version(s)

Firefox < 126

Firefox ESR < 115.11

Thunderbird < 115.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-4367-POC
Created by s4vvysec

cve-2024-4367-PoC-fixed
Created by Zombie-Kaiser

pdfjs-vuln-demo
Created by snyk-labs