The Markdown PDF extension automatically installs Chromium 80.0.3987.0 during its initial setup for PDF generation. This particular version was released over three years ago and may still harbor security vulnerabilities that have come to light since its release. An adversary with malicious intent could potentially exploit these unpatched vulnerabilities by embedding tricks within the Markdown content.
This extension is providing the option to configure the Chromium path, and allowing users to mitigate security risks by using a more recent version of Chromium. However, considering the likelihood that many users may stick with the default settings, the automatic installation may still be exposing a significant number of users to potential security risks.
To address this issue, the following steps could be considered:
Workaround: Update Puppeteer to the latest, for getting the latest Chromium.
Permanent: Fetch the latest release of Chromium from remote during initial setup, or always use the browser that users have manually installed instead of automatically installing Chromium.
The Markdown PDF extension automatically installs Chromium 80.0.3987.0 during its initial setup for PDF generation. This particular version was released over three years ago and may still harbor security vulnerabilities that have come to light since its release. An adversary with malicious intent could potentially exploit these unpatched vulnerabilities by embedding tricks within the Markdown content.
This extension is providing the option to configure the Chromium path, and allowing users to mitigate security risks by using a more recent version of Chromium. However, considering the likelihood that many users may stick with the default settings, the automatic installation may still be exposing a significant number of users to potential security risks.
To address this issue, the following steps could be considered: