Arbitrary JavaScript Execution Vulnerability in Firefox
CVE-2024-4367
Key Information
- Vendor
- Mozilla
- Status
- Firefox
- Firefox Esr
- Thunderbird
- Vendor
- CVE Published:
- 14 May 2024
Badges
What is CVE-2024-4367?
CVE-2024-4367 is a vulnerability identified in the Mozilla Firefox browser, particularly affecting versions prior to 126, as well as Firefox Extended Support Release (ESR) versions below 115.11 and Thunderbird versions below 115.11. This vulnerability involves a flaw in the handling of fonts within PDF.js, which can lead to arbitrary JavaScript execution in the context of PDF documents. The ability to execute arbitrary JavaScript can have severe consequences for organizations, as it could enable attackers to manipulate web content, conduct phishing attacks, or deploy malware directly within users’ browsers, compromising sensitive information and disrupting business operations.
Technical Details
The root cause of CVE-2024-4367 lies in a type check that was not implemented when the browser processed fonts through PDF.js, a library used to render PDF files in web applications. This oversight allows maliciously crafted PDF files to execute JavaScript code within the browser environment, which can be exploited to bypass security restrictions and enable further attacks. Given the widespread usage of PDF documents in professional correspondence and documentation, this vulnerability poses a significant risk to users who open such files through affected versions of Firefox or Thunderbird.
Impact of the Vulnerability
-
Arbitrary Code Execution: The vulnerability allows attackers to execute arbitrary JavaScript within the context of the PDF document, potentially leading to further exploits, data exfiltration, or system compromise.
-
Data Breaches: If exploited successfully, this vulnerability could facilitate unauthorized access to sensitive information stored within the browser or affect user sessions, leading to potential data breaches.
-
Widespread Exploitation Risk: Given that the vulnerability has been confirmed as being exploited in the wild, organizations are at risk of falling victim to targeted attacks leveraging malicious PDFs, emphasizing the need for immediate attention to patching and mitigation strategies.
Affected Version(s)
Firefox < 126
Firefox ESR < 115.11
Thunderbird < 115.11
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Firefox用於存取PDF檔案的元件存在弱點,有可能被用於執行任意JavaScript程式碼
上週研究人員對於Mozilla基金會在Firefox 126修補的PDF.js漏洞CVE-2024-4367提出說明,並指出這項漏洞與字型處理有關,攻擊者有機會用來執行任意JavaScript程式碼
7 months ago
CybersecurityNewsCVE-2024-4367PoC Released for JavaScript execution Vulnerability in PDF.js
A vulnerability, identified as CVE-2024-4367, PDF.js, was discovered in a widely used JavaScript-based PDF viewer maintained by Mozilla.
7 months ago
The Hacker NewsResearchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox
Researchers uncover critical security flaws in two widely used software packages, llama_cpp_python for AI models and PDF.js used by the Firefox.
7 months ago
Refferences
Timeline
- 🔴
Public PoC available
- 🔥
Vulnerability reached the number 1 worldwide trending spot
- 👾
Exploit known to exist
Vulnerability started trending
Vulnerability published
First article discovered by GBHackers on Security
Vulnerability Reserved