CVE-2020-7690

Root

Cause

CVE-2020-7690 is a cross-site scripting (XSS) vulnerability affecting the jsPDF library in versions prior to 2.0.0 [1]. The flaw resides in the html() method, which does not sanitize user-provided HTML. An attacker can embed arbitrary JavaScript that executes in the context of the document being generated [1][2].

Exploitation

An attacker can craft an HTML payload containing malicious event handlers (e.g., onerror or onload attributes) and pass it to the html() method [1][3]. No authentication is required; the attack vector is entirely client-side. The proof-of-concept provided by Snyk demonstrates injecting an `` tag that executes a JavaScript payload when the image fails to load [1][4]. Applications that render untrusted HTML using jsPDF without prior sanitization are vulnerable.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser session of the user viewing the generated PDF content [1][2]. This can lead to data exfiltration, session hijacking, or other actions permitted by the same-origin policy of the application that embeds jsPDF.

Mitigation

The vulnerability is fixed in jsPDF version 2.0.0 and later [1]. Users of the Bower or WebJars distribution channels should upgrade to version 2.3.1 or higher [3][4]. If upgrading is not immediately possible, all user-supplied HTML should be sanitized before being passed to the html() method.