High severityNVD Advisory· Published Jun 11, 2018· Updated Aug 5, 2024

CVE-2018-5158

Description

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crafted PDF can inject JavaScript into Firefox's PDF viewer due to insufficient sanitization of PostScript calculator functions, potentially bypassing same-origin restrictions.

Vulnerability

The PDF viewer in Firefox does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file [1][3]. This vulnerability affects Firefox ESR versions prior to 52.8 and Firefox versions prior to 60 [1][4]. The issue can be triggered by processing a specially crafted PDF file that exploits the insufficient sanitization of PostScript calculator functions within the PDF viewer's worker [3].

Exploitation

An attacker must craft a PDF file containing malicious PostScript calculator functions that, when processed, inject JavaScript into the PDF viewer's worker context [3]. The attacker can then deliver this PDF file to a user, for example through a website or email attachment. The injected JavaScript runs with the permissions of the PDF viewer, requiring no additional authentication beyond the user opening the malicious PDF [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the context of the PDF viewer. This can lead to compromise of data displayed or processed by the viewer, potentially allowing the attacker to read or exfiltrate PDF content, interact with other browser resources, or perform actions with the privileges of the PDF viewer worker [3]. The vulnerability could be used to bypass same-origin protections, enabling access to PDF files from other origins [1][3].

Mitigation

Mozilla released Firefox 60 and Firefox ESR 52.8 on May 9, 2018, which fix this vulnerability [1][3]. Users should update to these or later versions. Red Hat released updates for Red Hat Enterprise Linux 7 as part of RHSA-2018:1414 and RHSA-2018:1415 [1][2]. No workarounds are documented; updating the browser is the recommended action.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pdfjs-distnpm	>= 2.0.0, < 2.0.550	2.0.550
pdfjs-distnpm	< 1.10.100	1.10.100

Affected products

ghsa-coords33 versions
pkg:npm/pdfjs-dist pkg:rpm/suse/MozillaFirefox&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Enterprise%20Storage%205 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATA pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSS pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
>= 2.0.0, < 2.0.550+ 32 more
- (no CPE)range: >= 2.0.0, < 2.0.550
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 52.9.0esr-3.7.12
- (no CPE)range: < 52.8.0esr-72.32.1
- (no CPE)range: < 52.8.0esr-72.32.1
- (no CPE)range: < 52.8.0esr-72.32.1
- (no CPE)range: < 52.8.0esr-72.32.1
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 52.8.0esr-72.32.1
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 52.8.0esr-72.32.1
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 52.8.0esr-109.31.2
- (no CPE)range: < 68.2.0-109.95.2
- (no CPE)range: < 68.2.0-109.95.2
Mozilla Corporation/Firefoxv5
Range: unspecified
Mozilla/Firefox ESRv5
Range: unspecified

Patches

2dc4af525d16

Merge pull request #9659 from yurydelendik/rm-createFromIR

https://github.com/mozilla/pdf.jsBrendan DahlApr 12, 2018via ghsa

commit

2 files changed · +41 −51

src/core/colorspace.js+9 −11 modified

@@ -203,10 +203,10 @@ var ColorSpace = (function ColorSpaceClosure() {
 
   ColorSpace.parse = function(cs, xref, res, pdfFunctionFactory) {
     let IR = ColorSpace.parseToIR(cs, xref, res, pdfFunctionFactory);
-    return ColorSpace.fromIR(IR, pdfFunctionFactory);
+    return ColorSpace.fromIR(IR);
   };
 
-  ColorSpace.fromIR = function(IR, pdfFunctionFactory) {
+  ColorSpace.fromIR = function(IR) {
     var name = Array.isArray(IR) ? IR[0] : IR;
     var whitePoint, blackPoint, gamma;
 
@@ -231,23 +231,21 @@ var ColorSpace = (function ColorSpaceClosure() {
       case 'PatternCS':
         var basePatternCS = IR[1];
         if (basePatternCS) {
-          basePatternCS = ColorSpace.fromIR(basePatternCS, pdfFunctionFactory);
+          basePatternCS = ColorSpace.fromIR(basePatternCS);
         }
         return new PatternCS(basePatternCS);
       case 'IndexedCS':
         var baseIndexedCS = IR[1];
         var hiVal = IR[2];
         var lookup = IR[3];
-        return new IndexedCS(ColorSpace.fromIR(baseIndexedCS,
-                                               pdfFunctionFactory),
+        return new IndexedCS(ColorSpace.fromIR(baseIndexedCS),
                              hiVal, lookup);
       case 'AlternateCS':
         var numComps = IR[1];
         var alt = IR[2];
-        var tintFnIR = IR[3];
-        return new AlternateCS(numComps, ColorSpace.fromIR(alt,
-                                                           pdfFunctionFactory),
-                               pdfFunctionFactory.createFromIR(tintFnIR));
+        var tintFn = IR[3];
+        return new AlternateCS(numComps, ColorSpace.fromIR(alt),
+                               tintFn);
       case 'LabCS':
         whitePoint = IR[1];
         blackPoint = IR[2];
@@ -364,8 +362,8 @@ var ColorSpace = (function ColorSpaceClosure() {
           var name = xref.fetchIfRef(cs[1]);
           numComps = Array.isArray(name) ? name.length : 1;
           alt = ColorSpace.parseToIR(cs[2], xref, res, pdfFunctionFactory);
-          let tintFnIR = pdfFunctionFactory.createIR(xref.fetchIfRef(cs[3]));
-          return ['AlternateCS', numComps, alt, tintFnIR];
+          let tintFn = pdfFunctionFactory.create(xref.fetchIfRef(cs[3]));
+          return ['AlternateCS', numComps, alt, tintFn];
         case 'Lab':
           params = xref.fetchIfRef(cs[1]);
           whitePoint = params.getArray('WhitePoint');

src/core/function.js+32 −40 modified

@@ -46,22 +46,24 @@ class PDFFunctionFactory {
       fnObj,
     });
   }
+}
 
-  createFromIR(IR) {
-    return PDFFunction.fromIR({
-      xref: this.xref,
-      isEvalSupported: this.isEvalSupported,
-      IR,
-    });
+function toNumberArray(arr) {
+  if (!Array.isArray(arr)) {
+    return null;
   }
-
-  createIR(fn) {
-    return PDFFunction.getIR({
-      xref: this.xref,
-      isEvalSupported: this.isEvalSupported,
-      fn,
-    });
+  const length = arr.length;
+  for (let i = 0; i < length; i++) {
+    if (typeof arr[i] !== 'number') {
+      // Non-number is found -- convert all items to numbers.
+      const result = new Array(length);
+      for (let i = 0; i < length; i++) {
+        result[i] = +arr[i];
+      }
+      return result;
+    }
   }
+  return arr;
 }
 
 var PDFFunction = (function PDFFunctionClosure() {
@@ -171,8 +173,8 @@ var PDFFunction = (function PDFFunctionClosure() {
         }
         return out;
       }
-      var domain = dict.getArray('Domain');
-      var range = dict.getArray('Range');
+      var domain = toNumberArray(dict.getArray('Domain'));
+      var range = toNumberArray(dict.getArray('Range'));
 
       if (!domain || !range) {
         throw new FormatError('No domain or range');
@@ -184,7 +186,7 @@ var PDFFunction = (function PDFFunctionClosure() {
       domain = toMultiArray(domain);
       range = toMultiArray(range);
 
-      var size = dict.get('Size');
+      var size = toNumberArray(dict.get('Size'));
       var bps = dict.get('BitsPerSample');
       var order = dict.get('Order') || 1;
       if (order !== 1) {
@@ -193,17 +195,17 @@ var PDFFunction = (function PDFFunctionClosure() {
         info('No support for cubic spline interpolation: ' + order);
       }
 
-      var encode = dict.getArray('Encode');
+      var encode = toNumberArray(dict.getArray('Encode'));
       if (!encode) {
         encode = [];
         for (var i = 0; i < inputSize; ++i) {
-          encode.push(0);
-          encode.push(size[i] - 1);
+          encode.push([0, size[i] - 1]);
         }
+      } else {
+        encode = toMultiArray(encode);
       }
-      encode = toMultiArray(encode);
 
-      var decode = dict.getArray('Decode');
+      var decode = toNumberArray(dict.getArray('Decode'));
       if (!decode) {
         decode = range;
       } else {
@@ -304,15 +306,10 @@ var PDFFunction = (function PDFFunctionClosure() {
     },
 
     constructInterpolated({ xref, isEvalSupported, fn, dict, }) {
-      var c0 = dict.getArray('C0') || [0];
-      var c1 = dict.getArray('C1') || [1];
+      var c0 = toNumberArray(dict.getArray('C0')) || [0];
+      var c1 = toNumberArray(dict.getArray('C1')) || [1];
       var n = dict.get('N');
 
-      if (!Array.isArray(c0) || !Array.isArray(c1)) {
-        throw new FormatError(
-          'Illegal dictionary for interpolated function');
-      }
-
       var length = c0.length;
       var diff = [];
       for (var i = 0; i < length; ++i) {
@@ -340,7 +337,7 @@ var PDFFunction = (function PDFFunctionClosure() {
     },
 
     constructStiched({ xref, isEvalSupported, fn, dict, }) {
-      var domain = dict.getArray('Domain');
+      var domain = toNumberArray(dict.getArray('Domain'));
 
       if (!domain) {
         throw new FormatError('No domain');
@@ -354,12 +351,12 @@ var PDFFunction = (function PDFFunctionClosure() {
       var fnRefs = dict.get('Functions');
       var fns = [];
       for (var i = 0, ii = fnRefs.length; i < ii; ++i) {
-        fns.push(this.getIR({ xref, isEvalSupported,
+        fns.push(this.parse({ xref, isEvalSupported,
                               fn: xref.fetchIfRef(fnRefs[i]), }));
       }
 
-      var bounds = dict.getArray('Bounds');
-      var encode = dict.getArray('Encode');
+      var bounds = toNumberArray(dict.getArray('Bounds'));
+      var encode = toNumberArray(dict.getArray('Encode'));
 
       return [CONSTRUCT_STICHED, domain, bounds, encode, fns];
     },
@@ -368,14 +365,9 @@ var PDFFunction = (function PDFFunctionClosure() {
       var domain = IR[1];
       var bounds = IR[2];
       var encode = IR[3];
-      var fnsIR = IR[4];
-      var fns = [];
+      var fns = IR[4];
       var tmpBuf = new Float32Array(1);
 
-      for (var i = 0, ii = fnsIR.length; i < ii; i++) {
-        fns.push(this.fromIR({ xref, isEvalSupported, IR: fnsIR[i], }));
-      }
-
       return function constructStichedFromIRResult(src, srcOffset,
                                                    dest, destOffset) {
         var clip = function constructStichedFromIRClip(v, min, max) {
@@ -420,8 +412,8 @@ var PDFFunction = (function PDFFunctionClosure() {
     },
 
     constructPostScript({ xref, isEvalSupported, fn, dict, }) {
-      var domain = dict.getArray('Domain');
-      var range = dict.getArray('Range');
+      var domain = toNumberArray(dict.getArray('Domain'));
+      var range = toNumberArray(dict.getArray('Range'));
 
       if (!domain) {
         throw new FormatError('No domain.');

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2018:1414ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:1415ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-7jg2-jgv3-fmr4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-5158ghsaADVISORY
security.gentoo.org/glsa/201810-01ghsavendor-advisoryx_refsource_GENTOOWEB
usn.ubuntu.com/3645-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2018/dsa-4199ghsavendor-advisoryx_refsource_DEBIANWEB
www.securityfocus.com/bid/104136ghsavdb-entryx_refsource_BIDWEB
www.securitytracker.com/id/1040896ghsavdb-entryx_refsource_SECTRACKWEB
bugzilla.mozilla.org/show_bug.cgighsax_refsource_CONFIRMWEB
github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97ghsaWEB
github.com/mozilla/pdf.js/pull/9659ghsaWEB
lists.debian.org/debian-lts-announce/2018/05/msg00007.htmlghsamailing-listx_refsource_MLISTWEB
usn.ubuntu.com/3645-1ghsaWEB
www.mozilla.org/security/advisories/mfsa2018-11ghsaWEB
www.mozilla.org/security/advisories/mfsa2018-11/mitrex_refsource_CONFIRM
www.mozilla.org/security/advisories/mfsa2018-12ghsaWEB
www.mozilla.org/security/advisories/mfsa2018-12/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.034
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000