CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js

The pdf.js file in pdfjs-viewer-shortcode/pdfjs/build/pdf.js says that it is version 2.6.347 which came out Sep 3, 2020. The current version is 4.3.136 released the end of May 2024, and uses modular javascript using .mjs files instead of .js files. That has been the case since the v4.0.189 release in November 2023.. There might be a problem using it on some sites as not all sites return the correct content type header for .mjs files. Without the correct content type header, browsers will not run .mjs javascript. I had to have our host configure our nginx server to return the content type of javascript/application for .mjs files in order to run pdf.js v4.3.136.

Hi Thomas, thanks for the update on the situation.

Do we have an ETA and/or anything we should do to protect our sites? I really don’t want to change the plugin.

We have a serious use case issue that we are patiently waiting for your update to address with updated JS libraries. We are using the standard shortcode to load PDFs. However, on iOS devices (specifically tablets), we encounter some issues. For example, we have a 22MB, 26-page PDF file. When we use print options or presentation modes, the plugin arbitrarily grabs random pages, such as pages 4 to 12 or pages 1 to 8. We can never print the full 26 pages. The same issue occurs with presentation mode; it randomly skips pages.

This issue cannot be recreated on Mac, PC, or Windows desktop browsers. It is specific to iOS devices, and we have tested this on about 40 different tablets. Currently, we are forced to open our PDFs in a new window. I should add that we are running your shortcode in an inline frame.

I hope that updating to the latest JS library fixes the issue. If not, could you provide some insight into what might be causing this problem or suggest a solution?