A critical vulnerability, CVE-2024-4367, has been discovered in PDF.js, affecting Firefox versions below 126 and various web applications using PDF.js, allowing attackers to run arbitrary JavaScript code through a font rendering code oversight
The exploit involves manipulating the fontMatrix array in PDF metadata to execute arbitrary code, with a fix available in PDF.js version 4.2.67. Recommendations for developers include updating PDF.js, checking for vulnerable versions in node_modules, and implementing content-security policies to prevent exploitation. https://cybersecuritynews.com/poc-released-for-javascript/