pkiff, Not surprised by the new security vulnerability in Mozilla's PDF.js - patched in latest Firefox. But remind me again why browsers try to render PDFs to begin with?
Displaying PDFs in browsers opens a huge new attack surface. PDFs are complex. Browsers render PDF forms poorly and offer only a limited subset of the many accessibility features provided by dedicated PDF software.
I wish none of the browser makers did this.
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/