module
Firefox PDF.js Browser File Theft
| Disclosed | Created |
|---|---|
| N/A | May 30, 2018 |
Disclosed
N/A
Created
May 30, 2018
Description
This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR
38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability
occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with
privileges to read local files. The in-the-wild malicious payloads searched for sensitive
files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they
do not use the Mozilla PDF viewer.
38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability
occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with
privileges to read local files. The in-the-wild malicious payloads searched for sensitive
files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they
do not use the Mozilla PDF viewer.
Authors
Unknown
fukusa
Unknown
fukusa
Unknown
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.