Critical Security Vulnerability in dependency package "pdfjs"

[bdalvandi-awaremd]

Bug Report or Feature Request (mark with an x)

- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [X] Bug report -> please search issues before submitting
- [ ] Feature request
- [ ] Documentation issue or request

The latest version of ng2-pdf-viewer (10.2.2) has a dependency to pdfjs-dist version 3.11.x which has recently been discovered to have an extremely critical vulnerability, allowing attacks on the domain. The latest version of pdfjs-dist has remediated that vulnerability, I am wondering if a new version of ng2-pdf-viewer coming out soon that uses the latest version and remediates this vulnerability?

[shamoon]

Did you search? Multiple issues cover this already

[bdalvandi-awaremd]

Did you search? Multiple issues cover this already

Yes. But I don't see any of them clearly explaining how to overcome the vulnerability. The closest thing I have seen is ppl mentioning to set the eval to false or something, but where and how is not clear. Can you by any chance point me to a clear solution? thanks.

[mejobloggs-cw]

I agree it's not clear how to resolve this security issue. Is there a patch or update coming?

[shamoon]

Did you try reading the release notes, eg for v10.2.0?

https://github.com/VadimDez/ng2-pdf-viewer/pull/1092 resolves the CVE but does not update the pdfjs package to 4.x, so automated security tools will still complain even though the issue is resolved.

[DerekLiang]

Does anyone know what is the effort to update the dependency to pdfjs 4.x?

[shamoon]

... https://github.com/VadimDez/ng2-pdf-viewer/pull/1105

[shamoon]

Should be closed

[VadimDez]

Closing @shamoon