This page details a critical vulnerability (CVE-2024-4367) discovered by Codean Labs in PDF.js, the library used by Firefox and many web applications to view PDF files. The vulnerability allows an attacker to execute arbitrary JavaScript code simply by having a victim open a malicious PDF file.
To display fonts that are not standard (like obscure Type 1 fonts), PDF.js has to manually draw the characters (glyphs) using curves.
To make this process fast, PDF.js takes the drawing commands and compiles them into a JavaScript Function object. It builds a string of code and then executes it:
// Vulnerable logic in PDF.js
jsBuf.push("c.", current.cmd, "(", args, ");\\n");
// ...
return new Function("c", "size", jsBuf.join(""));
One of the drawing commands is transform, which takes a matrix of numbers called the fontMatrix.
fontMatrix would only ever contain numbers.FontMatrix to be defined in the PDF metadata. Crucially, PDF.js did not validate the types of data inside this matrix.Because PDF.js constructs the function body using string concatenation without sanitization, an attacker can inject malicious strings into the fontMatrix.
An attacker creates a PDF with a FontMatrix looking like this:
/FontMatrix [1 2 3 4 5 (0); alert('Hacked')]
When PDF.js compiles the glyph, it blindly inserts that string into the code:
// Resulting generated code
c.transform(1, 2, 3, 4, 5, 0); alert('Hacked'); // ... rest of code
The malicious code (alert) is now part of the function and executes immediately when the font is rendered.
resource://pdf.js. While this doesn't give full access to the file system, it is more privileged than a standard website (e.g., it can determine the full path of the PDF file on the disk).