TapTechNews May 28 news, the Mozilla Foundation launched Firefox 126 version on May 14, and the official mentioned in the update information that this version mainly fixed a high-risk vulnerability CVE-2024-4367 in the built-in PDF component (PDF.js) of the browser.
It is known that this "CVE-2024-4367" code execution vulnerability was reported by the security company CodeanLabs, and the CVSSv3 score is 7.5. Due to the lack of "type check" when Firefox browser handles PDF fonts before, it gives hackers an opportunity, allowing hackers to use a specially crafted PDF file to execute malicious JavaScript code.
TapTechNews learned that the built-in PDF.js of the Firefox browser mainly converts font characters in modern formats such as TrueType into vector images through font rendering tools. In order to improve the operating efficiency, developers will precompile a path generator for each font, but researchers found that hackers can trigger the PDF.js vulnerability through specific parameters, allowing the browser to automatically execute malicious JavaScript code when reading a specific PDF file, thus causing the victim's device to be invaded without knowing it.
In addition to fixing the "CVE-2024-4367" vulnerability, the Mozilla Foundation has also been recently fixing many "25-year-old Bugs" in Firefox browser. Interested TapTechNews friends can click here to view more information.