WebViewer Version: 8.1
Do you have an issue with a specific file(s)?
No
Can you reproduce using one of our samples or online demos?
Yes
Are you using the WebViewer server?
No
Does the issue only happen on certain browsers?
No
Is your issue related to a front-end framework?
Yes
Is your issue related to annotations?
No
Please give a brief summary of your issue:
Security Compliance Script Unveils Dynamic DOM Element Creation Vulnerability in PDFTron
Hi,
Recently we ran a script to check all the vulnerabilities in our product using FluidAttacks, where we found that one of the vulnerabilities was described as Creation of dynamic DOM elements from user controlled inputs or the event origin is not checked in myapp/webviewer/core/pdf/WasmThread.js
Logs:
13 | nction(a,n){this.fs_q=this.fs_read_counter=0;this.needCallback=!1;this.fs_read_total=a;this.fs_q=n}}();d.AsyncFSHack={rea 14 | syncFSHack.readingAsyncFS=0,delete d.AsyncFSHack.readCalls[a])},C=function(a,n,b,h,f,e){this.lruList=[];this.chunkMap={}; 15 | ].push(b);if(n){b=Math.min(a+this.chunkSize,this.length)-1;var h=new XMLHttpRequest;h.open("GET",this.url,!0);h.responseT 16 | ed to load data from"+e.url),b=new Int8Array(0);for(var n=e.chunkReader[a],f=0;f<n.length;f++)n[f](b);delete e.chunkReade 17 | Chunks:function(a,b){for(var n=a.length,h=Array(n),f=0,e=function(a,e){h[e]=a;++f;f===n&&b(h)},m=0;m<n;++m)this.wrapChunk 18 | this.chunkMap[e]?(m=this.chunkMap[e].subarray(0,b),a.set(m,f),this.lruUpdate(e)):this.hadChunk(e)?h.push([e,0,b,f]):(m=ne 19 | his.lruList.shift(),this.chunkMap[h]=null);this.lruUpdate(b);this.chunkMap[b]=a}};var B=function(a){this.chunkStorage=a;t 20 | [1]+e[2]);n.set(f,e[3])}A(m)})):f&&A(m);h+=e}else e=0;if(!f){z(m);b+=e;if(c-=e){f=this.chunkStorage.getCacheData();c>f.le 21 | .length&&(d=b.length),f=h-this.length,d-=f,m=a.subarray(m,m+d),b.subarray(f,f+d).set(m);h+=d;e+=d}this.position=h;return 22 | ;var f=this;h.onload=function(){var a=new Int8Array(h.result);f.readerPool.push(h);d(a)};h.readAsArrayBuffer(this.file.sl 23 | n(){return this.filePosition},getTotalSize:function(){return this.fileLength}};var v={open:function(a){var b=a.path.slice 24 | ider.write(b,d,c,f):0}},y=function(a){if(!q[a]){var b=d.FS.makedev(3,5);d.FS.registerDevice(b,v);d.FS.mkdev(a,511,b);q[a] 25 | ull!==a&&("[object File]"===b||"[object Blob]"===b)}}).call(this,l(3))},function(c,b,l){c.exports=l(2)},function(c,b,l){f 26 | }}),q=!0);r.sendTestResponse();d.PThread.receiveObjectTransfer=function(){var a=d.Module.GetNextResponseMessage();d.getTh 27 | )&&(a[b]=f(a[b]));return a},C=function e(a){if("object"===g(a)&&null!==a)if(a.isArrayBufferRef){var b=d.FS.readFile(a.han 28 | DevId=e):Object(a.d)(e)&&(e=Object(a.a)(e),v[f]=e,c.value=e);else if("SaveDoc"!==e&&"SaveDocFromFixedElements"!==e||!c)"G 29 | ilePath=k}d.Module.HandleMessage(A(b))},r;d.MainThreadLabel=!0;d.getThreadedWasmWorker=function(){return r};var D=functio 30 | return a!==b}))},sendTestResponse:function(){x&&u&&(this.handleMessage({action:"test",data:{supportTypedArray:!0,supportT 31 | ary"});c.fileData=g.buffer;c=w[e].docId;c in p&&(Object(a.c)(p[c]),delete p[c]);c&&!w[e].finishedWithDocument?p[c]=f:d.FS > 32 | EventListener("message",m))};window.addEventListener("message",function(a){a=a.data;if("loadWasmWorker"===a.action){var b 33 | ndow) ^ Col 111
My question is, can we write a fix to avoid this warning? Or can this be safely ignored and if so why?
Steps to run fluidattacks: Using Machine for CASA | Fluid Attacks Documentation
My github repository that contains the results in the Fluid-Attacks-Results.csv file: GitHub - srijeetpatil/myPDFTronApp
Thanks!