Security scan results

General Discussion
1

PDF.js Express 8.7.4

Hi, PDF.js team,

After running security scan on our application which relies on PDF.js Express, we found multiple issues. Could you please clarify if those might be fixed in the nearest future as a part of technical support? Do you think you would be able to provide more information regarding those issues?

Here is the issue to file mapping:
{
“CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator(PRNG)”: [
“econsent\public\webviewer\core\external\decode.min.js”,
“econsent\public\webviewer\core\external\model-viewer-1.3.0.min.js”,
“econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“econsent\public\webviewer\core\external\webcomponents-bundle.js”,
“econsent\public\webviewer\core\legacyoffice\legacyofficeworker.js”,
“econsent\public\webviewer\core\pdfjs\pdf.worker.js”,
“econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“econsent\public\webviewer\core\pdfjs\pikaday.chunk.js”,
“econsent\public\webviewer\core\pikaday.chunk.js”,
“econsent\public\webviewer\core\webviewer-core.min.js”,
“econsent\public\webviewer\ui\webviewer-ui.min.js”
],
“CWE-564: SQL Injection: Hibernate”: [
“econsent\public\webviewer\core\external\decode.min.js”,
“econsent\public\webviewer\ui\webviewer-ui.min.js”
],
“CWE-327: Use of a Broken or Risky Cryptographic Algorithm”: [
“econsent\public\webviewer\core\pdfjs\pdf.worker.js”
],
“CWE-489: Active Debug Code”: [
“econsent\public\webviewer\core\external\decode.min.js”,
“econsent\public\webviewer\core\external\model-viewer-1.3.0.min.js”,
“econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“econsent\public\webviewer\core\webviewer-core.min.js”,
“econsent\public\webviewer\ui\webviewer-ui.min.js”
],
“CWE-312: Cleartext Storage of Sensitive Information”: [
“econsent\public\webviewer\core\external\decode.min.js”
],
“CWE-829: Inclusion of Functionality from Untrusted Control Sphere”: [
“econsent\public\webviewer\core\external\decode.min.js”,
“econsent\public\webviewer\core\external\model-viewer-1.3.0.min.js”,
“econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“econsent\public\webviewer\core\legacyoffice\legacyofficeworker.js”,
“econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“econsent\public\webviewer\ui\chunks\2.chunk.js”,
“econsent\public\webviewer\ui\webviewer-ui.min.js”
],
“CWE-798: Use of Hard-coded Credentials”: [
“econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“econsent\public\webviewer\core\webviewer-core.min.js”,
“econsent\public\webviewer\ui\webviewer-ui.min.js”
],
“CWE-94: Improper Control of Generation of Code (‘Code Injection’)”: [
“econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”
],
“CWE-20: Improper Input Validation”: [
“econsent\public\webviewer\core\webviewerserverpartretriever.chunk.js”
],
“CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)”: [
“econsent\public\webviewer\ui\webviewer-ui.min.js”,
“public\webviewer\core\contentedit.chunk.js”,
“public\webviewer\core\pikaday.chunk.js”,
“public\webviewer\core\pdfjs\pikaday.chunk.js”,
“public\webviewer\core\external\webcomponents-bundle.js”
],
“CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes”: [
“public\webviewer\core\external\webcomponents-bundle.js”,
“public\webviewer\core\webviewerserverpartretriever.chunk.js”
],
“CWE-345: Insufficient Verification of Data Authenticity”: [
“public\webviewer\core\legacyoffice\legacyofficeworker.js”
],
“The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (CWE - CWE-798: Use of Hard-coded Credentials (4.14)) advisory.”: [
“econsent\public\webviewer\ui\i18n\translation-en.json”,
“econsent\public\webviewer\ui\webviewer-ui.min.js.map”
],
“When use AWS Secret Key is recommended use vault or environment variable encrypted for the best security. For more information checkout the CWE-798 (CWE - CWE-798: Use of Hard-coded Credentials (4.14)) advisory.”: [
“econsent\public\webviewer\ui\webviewer-ui.min.js.map”
],
“CWE-1333: Inefficient Regular Expression Complexity”: [
“public\webviewer\core\pdfjs\vendors.pikaday.chunk.js”,
“public\webviewer\core\external\webcomponents-bundle.js”
],
“CWE-319: Cleartext Transmission of Sensitive Information”: [
“public\webviewer\core\webviewerserverpartretriever.chunk.js”
]
}

2

Hello afarbotka1,

Thank you for raising these, a lot of these are non-issues as they do not apply to PDFJS Express, however some we would like some more information.

CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator(PRNG)

PDFJS Express does not have any functionality that relies on a PRNG or Cryptographic Algorithm for security related functionality.

CWE-564: SQL Injection: Hibernate

PDFJS Express does not connect to an SQL database in any way.

CWE-489: Active Debug Code

Not specific what lines of code are debug code

CWE-312: Cleartext Storage of Sensitive Information
“econsent\public\webviewer\core\external\decode.min.js”

decode.min.js is open source code from Google, therefore not PDFJS Express’ domain:

CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CWE-798: Use of Hard-coded Credentials

Need specific lines of code where this is happening, the example only gives us files, not lines in those files:

“econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“econsent\public\webviewer\core\webviewer-core.min.js”,
“econsent\public\webviewer\ui\webviewer-ui.min.js”

“CWE-20: Improper Input Validation”

This only applies to the file:

“econsent\public\webviewer\core\webviewerserverpartretriever.chunk.js”

PDFJS Express does not connect to WebViewer Server, so this file is never used

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes”
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (CWE - CWE-798: Use of Hard-coded Credentials (4.14)) advisory.
When use AWS Secret Key is recommended use vault or environment variable encrypted for the best security. For more information checkout the CWE-798 (CWE - CWE-798: Use of Hard-coded Credentials (4.14)) advisory.
CWE-319: Cleartext Transmission of Sensitive Information

Need specific lines of code to investigate further, but we do not have any hard coded any credentials in our code.

CWE-345: Insufficient Verification of Data Authenticity

This file pertains to:

“public\webviewer\core\legacyoffice\legacyofficeworker.js”

PDFJS Express does not leverage the Legacy Office Worker to convert old Office files to PDF, therefore this file would not be used.

Best regards,
Tyler

3

Here is more information regarding the place in code, but it’s related to minified files though. Hope this will help
{
“CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator(PRNG)”: [
{
“file”: “econsent\public\webviewer\core\external\decode.min.js”,
“column”: “0”,
“line”: “0”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-1.3.0.min.js”,
“column”: “7”,
“line”: “14”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-1.3.0.min.js”,
“column”: “15054”,
“line”: “148”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “46”,
“line”: “149”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “12”,
“line”: “600”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “62”,
“line”: “607”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “55”,
“line”: “608”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “71”,
“line”: “609”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “1653”,
“line”: “617”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “3366”,
“line”: “648”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “2494”,
“line”: “677”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “1866”,
“line”: “2963”
},
{
“file”: “econsent\public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “87”,
“line”: “67”
},
{
“file”: “econsent\public\webviewer\core\legacyoffice\legacyofficeworker.js”,
“column”: “0”,
“line”: “0”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdf.worker.js”,
“column”: “323”,
“line”: “45”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdf.worker.js”,
“column”: “426”,
“line”: “177”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “323”,
“line”: “74”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “196”,
“line”: “407”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “469”,
“line”: “733”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “136”,
“line”: “2362”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “305”,
“line”: “2439”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “191”,
“line”: “2707”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “260”,
“line”: “2834”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pikaday.chunk.js”,
“column”: “319”,
“line”: “33”
},
{
“file”: “econsent\public\webviewer\core\pikaday.chunk.js”,
“column”: “319”,
“line”: “31”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “54”,
“line”: “23”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “99”,
“line”: “24”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “48”,
“line”: “410”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “384”,
“line”: “420”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “248”,
“line”: “441”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “276”,
“line”: “577”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “239”,
“line”: “653”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “455”,
“line”: “1257”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “429”,
“line”: “2501”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “77423”,
“line”: “14”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “228419”,
“line”: “21”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “38111”,
“line”: “33”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “34871”,
“line”: “49”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “93039”,
“line”: “81”
}
],
“CWE-564: SQL Injection: Hibernate”: [
{
“file”: “econsent\public\webviewer\core\external\decode.min.js”,
“column”: “0”,
“line”: “0”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “11539”,
“line”: “21”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “58696”,
“line”: “33”
}
],
“CWE-327: Use of a Broken or Risky Cryptographic Algorithm”: [
{
“file”: “econsent\public\webviewer\core\pdfjs\pdf.worker.js”,
“column”: “200”,
“line”: “1175”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdf.worker.js”,
“column”: “38”,
“line”: “1176”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdf.worker.js”,
“column”: “23”,
“line”: “1183”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdf.worker.js”,
“column”: “68”,
“line”: “1186”
}
],
“CWE-489: Active Debug Code”: [
{
“file”: “econsent\public\webviewer\core\external\decode.min.js”,
“column”: “0”,
“line”: “0”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-1.3.0.min.js”,
“column”: “236”,
“line”: “409”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-1.3.0.min.js”,
“column”: “9338”,
“line”: “893”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “11502”,
“line”: “3383”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “41249”,
“line”: “3384”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “52”,
“line”: “1648”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “426”,
“line”: “1655”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “7”,
“line”: “2080”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “497”,
“line”: “2202”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “120”,
“line”: “2663”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “330”,
“line”: “2664”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “217”,
“line”: “2667”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “100”,
“line”: “2671”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “358”,
“line”: “2672”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “157961”,
“line”: “21”
}
],
“CWE-312: Cleartext Storage of Sensitive Information”: [
{
“file”: “econsent\public\webviewer\core\external\decode.min.js”,
“column”: “0”,
“line”: “0”
}
],
“CWE-829: Inclusion of Functionality from Untrusted Control Sphere”: [
{
“file”: “econsent\public\webviewer\core\external\decode.min.js”,
“column”: “0”,
“line”: “0”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-1.3.0.min.js”,
“column”: “30”,
“line”: “148”
},
{
“file”: “econsent\public\webviewer\core\external\model-viewer-legacy-1.3.0.min.js”,
“column”: “5”,
“line”: “595”
},
{
“file”: “econsent\public\webviewer\core\legacyoffice\legacyofficeworker.js”,
“column”: “0”,
“line”: “0”
},
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “120”,
“line”: “1600”
},
{
“file”: “econsent\public\webviewer\ui\chunks\2.chunk.js”,
“column”: “0”,
“line”: “1”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “7”,
“line”: “33”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “10”,
“line”: “49”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “145”,
“line”: “73”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “72”,
“line”: “89”
}
],
“CWE-798: Use of Hard-coded Credentials”: [
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “482”,
“line”: “620”
},
{
“file”: “econsent\public\webviewer\core\webviewer-core.min.js”,
“column”: “151”,
“line”: “455”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “18115”,
“line”: “73”
}
],
“CWE-94: Improper Control of Generation of Code (‘Code Injection’)”: [
{
“file”: “econsent\public\webviewer\core\pdfjs\pdfjsdocumenttype.js”,
“column”: “205”,
“line”: “1159”
}
],
“CWE-20: Improper Input Validation”: [
{
“file”: “econsent\public\webviewer\core\webviewerserverpartretriever.chunk.js”,
“column”: “104”,
“line”: “32”
}
],
“CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)”: [
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js”,
“column”: “116290”,
“line”: “49”
},
{
“file”: “public\webviewer\core\contentedit.chunk.js”,
“column”: “null”,
“line”: “3”
},
{
“file”: “public\webviewer\core\contentedit.chunk.js”,
“column”: “null”,
“line”: “8”
},
{
“file”: “public\webviewer\core\pikaday.chunk.js”,
“column”: “null”,
“line”: “32”
},
{
“file”: “public\webviewer\core\pdfjs\pikaday.chunk.js”,
“column”: “null”,
“line”: “34”
},
{
“file”: “public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “null”,
“line”: “137”
},
{
“file”: “public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “null”,
“line”: “140”
},
{
“file”: “public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “null”,
“line”: “172”
},
{
“file”: “public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “null”,
“line”: “219”
}
],
“CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes”: [
{
“file”: “public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “”,
“line”: “21”
},
{
“file”: “public\webviewer\core\webviewerserverpartretriever.chunk.js”,
“column”: “”,
“line”: “2”
}
],
“CWE-345: Insufficient Verification of Data Authenticity”: [
{
“file”: “public\webviewer\core\legacyoffice\legacyofficeworker.js”,
“column”: “”,
“line”: “1”
}
],
“The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (CWE - CWE-798: Use of Hard-coded Credentials (4.14)) advisory.”: [
{
“file”: “econsent\public\webviewer\ui\i18n\translation-en.json”,
“column”: “null”,
“line”: “null”
},
{
“file”: “econsent\public\webviewer\ui\i18n\translation-en.json”,
“column”: “null”,
“line”: “null”
},
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js.map”,
“column”: “null”,
“line”: “null”
}
],
“When use AWS Secret Key is recommended use vault or environment variable encrypted for the best security. For more information checkout the CWE-798 (CWE - CWE-798: Use of Hard-coded Credentials (4.14)) advisory.”: [
{
“file”: “econsent\public\webviewer\ui\webviewer-ui.min.js.map”,
“column”: “null”,
“line”: “null”
}
],
“CWE-1333: Inefficient Regular Expression Complexity”: [
{
“file”: “public\webviewer\core\pdfjs\vendors.pikaday.chunk.js”,
“column”: “null”,
“line”: “17”
},
{
“file”: “public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “null”,
“line”: “321”
},
{
“file”: “public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “null”,
“line”: “322”
},
{
“file”: “public\webviewer\core\external\webcomponents-bundle.js”,
“column”: “null”,
“line”: “336”
}
],
“CWE-319: Cleartext Transmission of Sensitive Information”: [
{
“file”: “public\webviewer\core\webviewerserverpartretriever.chunk.js”,
“column”: “null”,
“line”: “31”
}
]
}

4

Hello afarbotka1,

Thank you for the file lines,

Going through each report it looks like these are all false positives, for example:

  • Licensing text linking to the license as a additional code being added
  • SVG W3 url’s as code injection
  • XML namespace attribute declaration being counted as “included functionality”
  • The string “Password” as a hard coded password
  • etc

I suggest reviewing whatever options the program you are using to rule these out to get a more accurate security log.

Any external sources like pikaday, webcomponents-bundle.js so we cannot speak on those.

Best regards,
Tyler

1 Like