See on npm

pdfjs-dist 2.3.200

1 security vulnerability found in version 2.3.200

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

high severity CVE-2024-4367
high severity CVE-2024-4367
Affected versions: <= 4.1.392

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval: https://github.com/mozilla/pdf.js/pull/18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Author did not declare license for this package in the source code.

This package version has a Apache-2.0 license in the source code, however it was not declared in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.