All Products Community Forum

Hi, During some tests I found that FF 115.19.0esr can still execute arbitrary JS similarly to CVE-2024-4367. I’ve checked the versions and > 115.11esr should be patched. Any payload with ‘/JS’ taken from https://github.com/luigigubello/PayloadsAllThePDFs/tree/main will do. Since this is probably important – FontMatrix is *not* working (no JS), original PoC (https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf) is also *not* working. I also wasn’t able to call an external script and so far haven’t found any path to exploit it beyond an alertbox. However, it still bothers me a lot and I’d like to know whether it’s the correct, expected behavior with FF+pdf.js, is it a vulnerability, or maybe my browser was somehow corrupted or is using some other mechanism that’s not within your control (my settings? about:config?).

Steps to re-create: 1. Open file in notepad 2. Add ‘/OpenAction 99 0 R’ after ‘lang’ in ‘1 0 obj section’ 3. After ‘endobj’ add ‘99 0 obj <</Type /Action /S /JavaScript /JS (app.alert\(1\);)>>’ 4. Result – alertbox popping twice

In previous versions of Firefox (up to version 133), it was possible to automatically trigger printing of a PDF file by loading it into an iframe from a sandboxed iframe and call print. However, starting with version 134, this no longer works.

Is there any other way to automatically trigger the print dialog for a PDF file in Firefox, similar to how it can be done in Chrome/Edge (e.g., by opening the PDF in a new window and directly triggering the print dialog without additional button clicks)?

Hi all, I've looked high and low for this, but can't find it... I have a couple of laptops and a desktop - one of the laptops has started showing a sidebar with buttons. I really like the utility of it and want to do same on second laptop and desktop, but all the settings I've tried just give me the old style of bookmarks. The version I want has a side pane with curved corners, and several buttons remain along left, almost like a left hand side menu bar. But where's the on/off button to add it to my other machines? All using latest version, and all logged in as me - I don't understand why, if its an update, it hasn't done so to all computers?

For some reason the first item when I open my browser is google. I do not use google-I can search my browser's history and see I do not use google. How do I get it removed? There is no reason for it to pop-up in my browser at all but there is absolutely no reason for it to be the top item whenever I open my browser. Why is it even there? I always use DuckDuckGo to search.

Please help me remove google from my browser. I have attached a screenshot with my browser showing google as the first item when I open it. This is getting so frustrating when I try to avoid google like the plague...the plague it is.

Thank you very much.

Hello! I am developing a web server, from which users can download large files. These files take a few seconds to generate, and cannot be generated ahead-of-time; only when a user requests them. The server therefore responds to such requests by first sending the HTTP response headers (without "Content-Length"), which can be written immediately, then generating the file, and sending the generated file as the response body.

In Chromium, this leads to the "Save As..." dialog appearing instantly, so the file can be generated & downloaded in the background while the user picks a location.

In Firefox (v132, linux x64), the "Save As..." dialog waits for the file to be generated before appearing, which is not user-friendly. During deeper testing, I discovered that Firefox appears to wait for my server to send at least 1 byte of data from the file (in the response body, after sending the HTTP response headers), before the "Save As..." dialog appears.

I have searched the Firefox settings and documentation but did not find anything that would explain this behavior. Is this a bug?