CVE-2018-5158 — Malicious PDF can inject JavaScript into PDF Viewer

Description

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.

How to fix CVE-2018-5158

To remediate CVE-2018-5158, upgrade the affected package to a fixed version below.

—upgrade to 52.8.0esr-1 or later
—upgrade to 2.0.550 or later

Is CVE-2018-5158 being exploited?

Moderate — EPSS is 43.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 52.8.0esr-1
>= 2.0.0, < 2.0.550

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (16)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-5158
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-5158
PATCHgithub.com/mozilla/pdf.js
WEBaccess.redhat.com/errata/RHSA-2018:1414
WEBaccess.redhat.com