Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)

Vendor: PDFTron Vendor URL: https://www.pdftron.com/ Versions affected: WebViewer UI 8.0 or below Systems Affected: Web applications hosting the affected software Author: Liyun Li <liyun.li[at]nccgroup[dot]com> CVE Identifier: CVE-2021-39307 Summary PDFTron’s WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. Impact An attacker … Continue reading Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)