@
Radeon 不知道你是如何得出这个结论的,mozilla官方博客上这样写道:
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.
个人觉得应该是利用了same origin policy机制,让inject的js代码(后面简写inject.js)与pdfjs的代码属于同一origin
跟js解释器没什么关系,但是我还是不大明白什么机制,inject.js是如何利用了pdf.js的local context,来搜索本地的文件的呢?据我所知,JS中并没有读取本地文件系统的API。
请指教。谢谢
BTW
HN的讨论这个话题的这个帖子,
https://news.ycombinator.com/item?id=10021376http://linustechtips.com/main/topic/426099-firefox-pdf-viewer-exploit-used-to-access-local-files-already-patched/@
patr0nus