Arbitrary Code Injection Affecting Firefox package, versions [,131)
Threat Intelligence
EPSS
0.09% (39th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UNMANAGED-FIREFOX-8145219
- published 2 Oct 2024
- disclosed 1 Oct 2024
- credit Masato Kinugawa
How to fix?
Upgrade Firefox
to version 131 or higher.
Overview
Affected versions of this package are vulnerable to Arbitrary Code Injection via a multipart response, under the resource://pdf.js
origin, which allows an attacker to access cross-origin PDF content.
Note: The Site Isolation feature on desktop clients limits this access to "same site" documents. Full cross-origin access is possible on Android versions only.