Multiple vulnerabilities in Foxit PDF Reader JavaScript engine

EXECUTIVE SUMMARY

Talos recently discovered multiple vulnerabilities in Foxit PDF Reader’s JavaScript engine. Foxit PDF Reader is a commonly used PDF reader that contains many features, including the support of JavaScript, which allows it to support interactive documents and dynamic forms. An adversary could take advantage of this JavaScript functionality, sending the victim a specially crafted file to trigger several different vulnerabilities.

In accordance with our coordinated disclosure policy, Talos worked with Foxit to disclose these vulnerabilities and ensure that an update is available.

DETAILS

Foxit Reader JavaScript media openPlayer type confusion vulnerability (TALOS-2020-1165/CVE-2020-13547)

A type confusion exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger an improper use of an object, resulting in memory corruption and arbitrary code execution. An needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

For more information on this vulnerability, read the complete advisory here.

There are also four Four use-after-free vulnerabilities. A specially crafted PDF document can trigger the reuse of previously free memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. For more information on these, check out their respective advisories.

  • TALOS-2020-1166
  • TALOS-2020-1171
  • TALOS-2020-1175
  • TALOS-2020-1181