You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary
If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Patches
This patch forces isEvalSupported to false, removing the attack vector.
Workarounds
Set options.isEvalSupported to false, where options is Document component prop.
Summary
If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Patches
This patch forces
isEvalSupportedtofalse, removing the attack vector.Workarounds
Set
options.isEvalSupportedtofalse, whereoptionsisDocumentcomponent prop.References
GHSA-wgrm-67xf-hhpq
mozilla/pdf.js#18015
mozilla/pdf.js@85e64b5
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645