### [CVE-2024-4367](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4367)
![](https://img.shields.io/static/v1?label=Product&message=Firefox%20ESR&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Firefox&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Thunderbird&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20115.11%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20126%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Arbitrary%20JavaScript%20execution%20in%20PDF.js&color=brighgreen)

### Description

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

### POC

#### Reference
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

#### Github
- https://github.com/0xr2r/CVE-2024-4367
- https://github.com/1337rokudenashi/Odoo_PDFjs_CVE-2024-4367.pdf
- https://github.com/AazafRitha/bug-bounty-reports
- https://github.com/BektiHandoyo/cve-pdf-host
- https://github.com/Bhavyakcwestern/Hacking-pdf.js-vulnerability
- https://github.com/GhostTroops/TOP
- https://github.com/J1ezds/Vulnerability-Wiki-page
- https://github.com/LOURC0D3/CVE-2024-4367-PoC
- https://github.com/Masamuneee/CVE-2024-4367-Analysis
- https://github.com/MihranGIT/POC_CVE-2024-4367
- https://github.com/PenguinCabinet/CVE-2024-4367-hands-on
- https://github.com/Scivous/CVE-2024-4367-npm
- https://github.com/Threekiii/Awesome-POC
- https://github.com/UnHackerEnCapital/PDFernetRemotelo
- https://github.com/VVeakee/CVE-2024-4367
- https://github.com/XiaomingX/awesome-poc-for-red-team
- https://github.com/Zombie-Kaiser/cve-2024-4367-PoC-fixed
- https://github.com/alecdhuse/Lantern-Shark
- https://github.com/avalahEE/pdfjs_disable_eval
- https://github.com/clarkio/pdfjs-vuln-demo
- https://github.com/elamani-drawing/CVE-2024-4367-POC-PDFJS
- https://github.com/exfil0/WEAPONIZING-CVE-2024-4367
- https://github.com/google/fishy-pdf
- https://github.com/hellomipl/mipl-pdf-viewer
- https://github.com/kabiri-labs/CVE-2024-4367-PoC
- https://github.com/klausnitzer/pentest-pdf-collection
- https://github.com/m0d0ri205/PDFJS
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/pS3ud0RAnD0m/cve-2024-4367-poc
- https://github.com/pedrochalegre7/CVE-2024-4367-pdf-sample
- https://github.com/plzheheplztrying/cve_monitor
- https://github.com/rjm521/hdfs-dashboard
- https://github.com/romanbelaire/notebook
- https://github.com/rzte/pdf-exploit
- https://github.com/s4vvysec/CVE-2024-4367-POC
- https://github.com/snyk-labs/pdfjs-vuln-demo
- https://github.com/spaceraccoon/detect-cve-2024-4367
- https://github.com/tanjiti/sec_profile
- https://github.com/zgimszhd61/openai-sec-test-cve-quickstart
- https://github.com/zulloper/cve-poc