EIP-2018-0045

The vulnerability exists within the JavaScript PDF API exposed by Foxit PhantomPDF. The loadHtmlView method of the app object invokes attacker-controlled JavaScript code in a privileged context. An attacker can create a specially crafted PDF file that will abuse this vulnerability to bypass the context based security mechanism of the JS PDF API.

Vulnerability Identifiers

• Exodus Intelligence: EIP-2018-0045
• MITRE CVE: Pending

Vulnerability Metrics

• CVSS Score: 6.8

Vendor References

• https://www.foxit.com/support/security-bulletins.html

Discovery Credit

• Exodus Intelligence

Disclosure Timeline

• Disclosed to affected vendors: February 24th, 2021
• Disclosed to public: July 27th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at [email protected].

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.