Security Scan complains about js version

Resolved ramgarimella
(@ramgarimella)

4 months, 3 weeks ago

Hello,

When we ran vulnerability scan on our website, we received the following error complaining about the js version being Vulnerable

id”: “668d212f95d9ec8621dd5079”,
 “status”: “OPEN”,
 “Name”: “Vulnerable JS Library”,
 “Description”: “The identified library appears to be vulnerable.”,
 “Solution”: “Upgrade to the latest version of the affected library.”,
 “Reference”: “https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/”,
 “CWE Id”: “1395”,

“Instances”: [
 {
 “uri”: “https://www.xxx.com/wp-content/plugins/pdf-embedder/assets/js/pdfjs/pdf.min.js?ver=2.2.228”,
 “method”: “GET”,
 “param”: “”,
 “attack”: “”,
 “evidence”: “messageHandler.sendWithPromise(\”GetDocRequest\”,{docId:n,apiVersion:\”2.2.228\””,
 “otherinfo”: “The identified library pdf.js, version 2.2.228 is vulnerable.\nCVE-2024-4367\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645\nhttps://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\nhttps://github.com/mozilla/pdf.js/pull/18015\nhttps://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\nhttps://github.com/mozilla/pdf.js\nhttps://github.com/advisories/GHSA-wgrm-67xf-hhpq\n”,
 “requestHeader”: “GET https://www.xxxx.com/wp-content/plugins/pdf-embedder/assets/js/pdfjs/pdf.min.js?ver=2.2.228 HTTP/1.1\r\nhost: http://www.xxx.com\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\r\npragma: no-cache\r\ncache-control: no-cache\r\nreferer: https://www.xxx.com/”,
 “requestBody”: “”,
 “responseHeader”: “HTTP/1.1 200 OK\r\nDate: Sun, 16 Nov 2025 02:15:57 GMT\r\nContent-Type: application/javascript\r\nConnection: keep-alive\r\nCF-RAY: 99f37bc77ed94211-EWR\r\nlast-modified: Tue, 01 Apr 2025 17:54:29 GMT\r\nvary: Accept-Encoding\r\netag: W/\”67ec2855-51b09\”\r\nexpires: Mon, 16 Mar 2026 02:15:57 GMT\r\nCache-Control: public, max-age=10368000\r\nx-rocket-nginx-serving-static: BYPASS\r\nstrict-transport-security: max-age=31536000;\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\nx-frame-options: SAMEORIGIN\r\nreferrer-policy: no-referrer-when-downgrade\r\ncontent-security-policy: default-src * ‘unsafe-inline’ ‘unsafe-eval’ data: blob:;\r\nCF-Cache-Status: HIT\r\nAge: 4461558\r\nspeculation-rules: \”/cdn-cgi/speculation\”\r\nServer: cloudflare\r\nalt-svc: h3=\”:443\”; ma=86400\r\ncontent-length: 334601\r\n\r\n”,
 “responseBody”: “!function(e,t){\”object\”==typeof exports&&\”object\”==typeof module?module.exports=t():\”function\”==typeof define&&define.amd?define(\”pdfjs-dist/build/pdf\”,[],t):\”object\”==typeof exports?exports[\”pdfjs-dist/build/pdf\”]=t():e[\”pdfjs-dist/build/pdf\”]=e.pdfjsLib=t()}(this,function(){return function(e){var t={};function r(n){if(t[n])return t[n].exports;var i=t[n]={i:n,l:!1,exports:{}};return e[n].call(i.exports,i,i.exports,r),i.l=!0,i.exports}return r.m=e,r.c=t,r.d=function(e,t,n){r.o(e,t)||Object.defin…(truncated)”
 }
 ],

Viewing 1 replies (of 1 total)

Plugin Support Jackson Mwange
(@mwangejack)

4 months, 3 weeks ago

Hi @ramgarimella ,

Thanks for getting in touch!

Please know that we are no longer affected by this vulnerability, as we fixed it back when we released PDF Embedder v4.8.0 (you can read a changelog here), in June 2024.

In case it helps to know, it is not the whole PDF.js library that is affected, but only its font-rendering part. We’ve disabled the related font-rendering part of the PDF.js library codebase.

Additionally, our plugin has been reviewed by independent researchers who confirmed that we are no longer affected. Please see our report here: https://wpscan.com/plugin/pdf-embedder/

I hope this helps with clarification, and please don’t hesitate to let me know if you have any other questions!

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.