Closed colleirose closed 3 months ago
We've never supported using eval
for anything due to our Content-Security-Policy not allowing unsafe-eval
. It would be fine to turn off eval at this layer in addition to the more reliable systemic disabling via Content-Security-Policy. We've regularly tested that pdf.js handles having it disabled via CSP. I don't think they used to have an option to disable it so we've always simply relied on the fact that they can handle it being disallowed as a whole and fall back to doing things another way.
We can disable their usage of eval in this more specific way too, but the commit message should note that it has always been disabled at another layer (CSP). It doesn't make sense to mention CVE-2024-4367 in this way since they fixed it through removing that functionality and it didn't impact us so we don't need to mitigate it as we have always prevented that class of vulnerability.
Included in https://github.com/GrapheneOS/PdfViewer/pull/364.
This reduces attack surface and mitigates CVE-2024-4367