### [CVE-2024-4367](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4367)
![](https://img.shields.io/static/v1?label=Product&message=Firefox%20ESR&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Firefox&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Thunderbird&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20115.11%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20126%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Arbitrary%20JavaScript%20execution%20in%20PDF.js&color=brighgreen)

### Description

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/GhostTroops/TOP
- https://github.com/LOURC0D3/CVE-2024-4367-PoC
- https://github.com/Threekiii/Awesome-POC
- https://github.com/avalahEE/pdfjs_disable_eval
- https://github.com/clarkio/pdfjs-vuln-demo
- https://github.com/google/fishy-pdf
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/s4vvysec/CVE-2024-4367-POC
- https://github.com/spaceraccoon/detect-cve-2024-4367
- https://github.com/tanjiti/sec_profile
- https://github.com/zgimszhd61/openai-sec-test-cve-quickstart