Firefox Community Forum

Hi, During some tests I found that FF 115.19.0esr can still execute arbitrary JS similarly to CVE-2024-4367. I’ve checked the versions and > 115.11esr should be patched. Any payload with ‘/JS’ taken from https://github.com/luigigubello/PayloadsAllThePDFs/tree/main will do. Since this is probably important – FontMatrix is *not* working (no JS), original PoC (https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf) is also *not* working. I also wasn’t able to call an external script and so far haven’t found any path to exploit it beyond an alertbox. However, it still bothers me a lot and I’d like to know whether it’s the correct, expected behavior with FF+pdf.js, is it a vulnerability, or maybe my browser was somehow corrupted or is using some other mechanism that’s not within your control (my settings? about:config?).

Steps to re-create: 1. Open file in notepad 2. Add ‘/OpenAction 99 0 R’ after ‘lang’ in ‘1 0 obj section’ 3. After ‘endobj’ add ‘99 0 obj <</Type /Action /S /JavaScript /JS (app.alert\(1\);)>>’ 4. Result – alertbox popping twice

Dear Sir,

Firefox is not working with Rabby Wallet and Metamask extensions.

It does no pop-up the window to see the transaction and sign it. Firefox 134.0.1 (64-bit). Windows 10 Home.

On Metamask at least I can click on the pinned extension and see the window. However it´s not the expected behavior, because it should open the pop-up automatically. With Rabby wallet it is impossible to proceed, even clicking on the extension icon.

Please fix it.

I have just got a new laptop and installed everything in relation to Firefox onto it. I have used the Nordpass extension for a couple of years and on the old laptop this is version 5.23.13 updated 16/10/24. On visiting the add-on and extension site today there is only a legacy version 4.33 updated 2y ago which clearly no longer works. Where has it gone. Clearly I am going to ask the same question of Nord, but I hope you can help.