Total vulnerabilities in the database
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
| Software | From | Fixed in |
|---|---|---|
| mozilla / firefox | - | 131.0 |
| mozilla / thunderbird | - | 128.3 |
| mozilla / thunderbird | 129.0-beta2 | 129.0-beta2.x |
| mozilla / thunderbird | 129.0-beta3 | 129.0-beta3.x |
| mozilla / thunderbird | 129.0-beta4 | 129.0-beta4.x |
| mozilla / thunderbird | 129.0-beta5 | 129.0-beta5.x |
| mozilla / firefox_esr | - | 115.16.0 |
| mozilla / firefox_esr | 116.0 | 128.3.0 |
| mozilla / thunderbird | 129.0-beta | 129.0-beta.x |
| mozilla / thunderbird | 129.0-beta6 | 129.0-beta6.x |