CVE-2018-5158

HIGH8.8EPSS 43.0%

Malicious PDF can inject JavaScript into PDF Viewer

Published: 5/14/2022Modified: 4/28/2026

Description

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.

Affected packages (2)

Debian/firefox-esrfrom 0, < 52.8.0esr-1
npm/pdfjs-dist>= 2.0.0, < 2.0.550

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (16)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-5158
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-5158
PATCHhttps://github.com/mozilla/pdf.js
WEBhttps://access.redhat.com/errata/RHSA-2018:1414
WEBhttps://access.redhat.com/errata/RHSA-2018:1415
WEBhttps://bugzilla.mozilla.org/show_bug.cgi?id=1452075
WEBhttps://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97
WEBhttps://github.com/mozilla/pdf.js/pull/9659
WEBhttps://lists.debian.org/debian-lts-announce/2018/05/msg00007.html
WEBhttps://security.gentoo.org/glsa/201810-01
WEBhttps://usn.ubuntu.com/3645-1
WEBhttps://www.debian.org/security/2018/dsa-4199
WEBhttps://www.mozilla.org/security/advisories/mfsa2018-11
WEBhttps://www.mozilla.org/security/advisories/mfsa2018-12
WEBhttp://www.securityfocus.com/bid/104136
WEBhttp://www.securitytracker.com/id/1040896