New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 592470 link

Starred by 1 user
Status: WontFix
Owner:
dcheng@chromium.org
Closed: Mar 2016
Cc:
jialiul@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: XSS using Google Chrome PDF handler

Reported by iqaba...@gmail.com, Mar 7 2016 

VULNERABILITY DETAILS
Its possible to execute arbitrary scripts using the chrome pdf handler

VERSION
Chrome Version: [49.0.2623.75 m] + [stable]
Operating System: Windows 8.1, 64bit

REPRODUCTION CASE
Open the attached PDF using chrome and simply right click the text '@qab' and choose 'open in new tab', javascript is executed.
in.pdf
46.6 KB Download

Comment 1 by jialiul@chromium.org, Mar 7 2016

Cc: dcheng@chromium.org
Hi iqabandi@, 
Thanks for reporting! It does not feel like a new vulnerability to me. dchang@ knows much better than me in this area. 
+dcheng@, could you help me triage this bug?

Comment 2 by jialiul@chromium.org, Mar 7 2016

Cc: -dcheng@chromium.org jialiul@chromium.org
Owner: dcheng@chromium.org

Comment 3 by mbarbe...@chromium.org, Mar 7 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
While it is true that this will result in the execution of javascript, it's not XSS.
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment