Stirling-Tools
PDF.js cve-2024-4367
First of all thanks for the awesome project!
There was a vulnerability found in PDF.js and a new version, 4.2.67, was released to fix it. In short, if submitting a PDF with malformed fonts, pdf.js can render an XSS
I haven't checked if it is exploitable in this project conditions, but thought it is worth a heads up as it is using it as dependency
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
How do we manually update it?
There is a pdf.js file in source which you would need to replace we are actually running pdfjsVersion = '3.11.174'; and quite behind, might be some breaking changes we need to migrate
Indeed those changes are listed in the first v4 release changelog, namely 4.0.189, with the [api-minor] or the [api-major] mention. There are 7 of them
- [api-major] Remove various deprecated functionality and options
- [api-major] Remove the SVG back-end (PR 15173 follow-up)
- [api-major] Output JavaScript modules in the builds (issue 10317)
- [api-minor] Stop polyfilling structuredClone in legacy builds
- [api-minor] Move to Fluent for the localization (bug 1858715)
- [api-minor] Re-factor NullL10n and remove the hard-coded l10n strings (PR 17115 follow-up)
- [api-minor] Use "data-l10n-id"/"data-l10n-args", rather than manually updating DOM-elements, to trigger translation (PR 17146 follow-up)
For the replacement I think it is about:
- downloading the pre-built https://github.com/mozilla/pdf.js/releases/download/v4.2.67/pdfjs-4.2.67-dist.zip (not the legacy for older browsers)
- replacing the files in this project static folder
- testing / amending calls to pdfjs
The folder layout changes a little bit, described here, but I think it is mostly about following what's present in static