Firefox用於存取PDF檔案的元件存在弱點,有可能被用於執行任意JavaScript程式碼
支付動態 · 2024-05-27
上週研究人員對於Mozilla基金會在Firefox 126修補的PDF.js漏洞CVE-2024-4367提出說明,並指出這項漏洞與字型處理有關,攻擊者有機會用來執行任意JavaScript程式碼
本月14日Mozilla基金會發布Firefox 126,當中修補PDF檢視元件(PDF.js)高風險漏洞CVE-2024-4367,此漏洞發生的原因,在於處理字型時缺乏類型檢查,導致能被攻擊者用來執行任意JavaScript程式碼。
通報這項漏洞的資安業者Codean Labs上週也提出說明,指出PDF.js由JavaScript開發而成,但弱點並非來自此指令碼的功能,而是字型的處理層面。
由於對於TrueType等現代格式的字型,PDF.js主要透過瀏覽器的字型渲染工具處理,但除此之外,此JavaScript指令碼必須將字元轉換成頁面上的曲線來呈現,因此,若要促使執行效能提升,開發者會為每個字型預先編譯路徑產生器。
為了驗證此項威脅的可行性,他們藉由特定參數觸發PDF.js漏洞,從而插入任意的JavaScript程式碼並執行。一旦使用者在Firefox開啟惡意PDF檔案,攻擊者就有機會利用漏洞來達到目的。
Popular articles
‘A target on their back’: college athletes face wave of abuse amid gambling boom
Sports Betting
Crypto in gambling: Market overview 2024
Marketing
Australia weighing strict measures on gambling ads
Regulation
Online gambling, crypto pose ongoing money laundering risks in Philippines, analyst says
Southeast Asia
FDJ says it doesn’t foresee French gambling tax hike, as stock price hit
Sports Betting
Irish lawmakers at odds over change in gambling bill allowing ‘inducements’
Sports Betting
British gambling levy rates confirmed for each vertical
Regulation
The ultimate gambler? How Bet365’s Denise Coates became Britain’s richest woman
Sports Betting
Indiana online casino bill stalls in House committee
Regulation
SBC Awards Americas 2025: Shortlisted Nominees Announced
HUIDU Focus
GamingTECH CEE Awards 2025: The Online Voting Battle Begins February 12!
Online Casino
French Gambling Giant FDJ Completes €2.5bn Kindred Group Purchase
Regulation
Spanish regulator warns of identity theft via online gambling platforms
Regulation
Underreported taxes on bettors’ gambling winnings leaves IRS $1.4 billion short
Sports Betting
Dutch gambling regulator wanrs lottery over advertorial
Regulation
