EIP-617871b4
The vulnerability exists within the JavaScript PDF API exposed by Foxit PhantomPDF. The loadHtmlView method of the app object invokes attacker-controlled JavaScript code in a privileged context. An attacker can create a specially crafted PDF file that will abuse this vulnerability to bypass the context based security mechanism of the JS PDF API.
Vulnerability Identifiers
- Exodus Intelligence: EIP-617871b4
- MITRE CVE: Pending
Vulnerability Metrics
- CVSSv2 Score: 6.8
Vendor References
Discovery Credit
- Exodus Intelligence
Disclosure Timeline
- Disclosed to affected vendors: February 24th, 2021
- Disclosed to public: July 27th, 2021
Further Information
Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.
Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.