[fukusa]

Hi,

I reported this 0-day. It used a PDF.JS same origin policy violation to access local files. You should be safe because you have javascript disabled and pdfjs.disabled set to true. There's no way for the script to run. It was on a international news website operating from Russia. The exploit was not on an ad network. The exploit was simply injected on every news article page through an iframe. Therefore I assume the news site was compromised. It could have been deliberately injected by the website operators, but I highly doubt it. The exploit targeted developers or tech-savvy people. On Linux, it targeted the contents of the ~/.ssh directory and some other sensitive files. I should say that I am not a security expert and I came across this 0-day by accident.

[stevenh]

Please identify the exact international news website. Was it rt.com?

[fukusa]

No it was not. I'm not sure if I should mention which website it was (yet). The exploit is still active. I am trying to get in touch with them to get it removed.

[gorhill]

> The exploit was simply injected on every news article page through an iframe

Was the "src" of the iframe 3rd-party to the web site? I want to know whether merely blocking 3rd-party iframes would also have prevented the exploit from working even if javascript is not blocked.

[fukusa]

Yes it was so it would have prevented the exploit from loading.

[Brybry]

Do you know if NoScript with javascript disabled but iframes allowed and pdfjs enabled would have stopped it?

A vulnerability test would be really nice but I understand why it doesn't exist yet.

[fukusa]

It would have stopped it. Js has to be active for the exploit script to run.

[Nanzikambe]

My thanks for reporting it and this clarification