jsPDF Acroform Module PDF Injection Vulnerability Allowing Arbitrary JavaScript Execution

A vulnerability in the jsPDF library's Acroform module prior to version 4.2.0 allows users to inject arbitrary PDF objects, including JavaScript actions, into form elements. This injection is executed when a victim hovers over the affected radio button option. The vulnerability arises from inadequate input sanitization in the 'appearanceState' property of radio button children.

Impact

Exploitation of this vulnerability allows for PDF object injection, where arbitrary JavaScript actions can be executed within the PDF context, potentially leading to cross-site scripting (XSS) attacks.

Reproduction

To reproduce this vulnerability, create a new jsPDF document and add a radio button field. Then, inject unsanitized input into the 'appearanceState' property of a child option, including JavaScript actions such as 'app.alert()'. When the PDF is opened and the radio button is hovered over, the injected JavaScript will execute.

Remediation

Users are advised to sanitize input before passing it to the Acroform module's vulnerable API members. The vulnerability has been fixed in jsPDF version 4.2.0.