Firefox用於存取PDF檔案的元件存在弱點,有可能被用於執行任意JavaScript程式碼
支付動態 · 2024-05-27
上週研究人員對於Mozilla基金會在Firefox 126修補的PDF.js漏洞CVE-2024-4367提出說明,並指出這項漏洞與字型處理有關,攻擊者有機會用來執行任意JavaScript程式碼
本月14日Mozilla基金會發布Firefox 126,當中修補PDF檢視元件(PDF.js)高風險漏洞CVE-2024-4367,此漏洞發生的原因,在於處理字型時缺乏類型檢查,導致能被攻擊者用來執行任意JavaScript程式碼。
通報這項漏洞的資安業者Codean Labs上週也提出說明,指出PDF.js由JavaScript開發而成,但弱點並非來自此指令碼的功能,而是字型的處理層面。
由於對於TrueType等現代格式的字型,PDF.js主要透過瀏覽器的字型渲染工具處理,但除此之外,此JavaScript指令碼必須將字元轉換成頁面上的曲線來呈現,因此,若要促使執行效能提升,開發者會為每個字型預先編譯路徑產生器。
為了驗證此項威脅的可行性,他們藉由特定參數觸發PDF.js漏洞,從而插入任意的JavaScript程式碼並執行。一旦使用者在Firefox開啟惡意PDF檔案,攻擊者就有機會利用漏洞來達到目的。
Popular articles
Are you ready to maximize your earnings? Try ProPush.me Constructor!
Marketing
B2B Tech Infrastructure Gains Momentum in Philippine Gaming Sector
Southeast Asia
Indiana online casino bill stalls in House committee
Regulation
GAT Expo Puerto Rico Will Pulse with the New Era of Gaming in the Caribbean
Marketing
Vietnam’s Controlled Gaming Shift Gains Ground, But Domestic Demand Still Lags
Southeast Asia
Online gambling, crypto pose ongoing money laundering risks in Philippines, analyst says
Southeast Asia
PropellerAds Shared a New iGaming Case Study: 97,674 Installs and 12,701 Deposits in 3 Months
Marketing
JILI Partners with Cricket Legend AB de Villiers (ABD) to Launch Exclusive Branded Game Series 100% 11
Sports Game
Gaming & Technology Expo Makes a Powerful Entrance in CDMX
Marketing
UK MPs reopen 2025 gambling inquiry as reform stalls
Regulation
Full House at GAT Expo Cartagena 2026 Academic Agenda
Online Game
GAT CDMX 2025 Institutional Academy: Leaders and Experts Analyze the Present and Future of the Gaming Industry in Mexico and Lat
Sports Game
Vietnam's tightening online gaming policy creates new market opportunities
Southeast Asia
New Jersey July Gambling Revenue Hits $606M, Sweeps Casinos Banned
Regulation
HUIDU Invites You to Booth T70 at iGB L!VE 2026 — Let’s Ignite London This July!
HUIDU Focus
