Endpoint Vulnerability

Security bypass of PDF.js checks using iframes

Description

Security researcher Cody Crews discovered a method to append an iframe into an embedded PDF object rendered with the chrome privileged PDF.js. This can used to bypass security restrictions to load local or chrome privileged files and objects within the embedded PDF object. This can lead to information disclosure of local system files.

Affected Products

Firefox ESR

References

CVE-2013-5598,