CVE-2015-4495

What Is PDF.js?

PDF.js is Mozilla's open-source, JavaScript-based PDF renderer built into Firefox. Rather than relying on a native plugin (like Adobe Acrobat), Firefox uses PDF.js to render PDF documents entirely within the browser using JavaScript and HTML5 Canvas. PDF.js runs in a privileged browser context to handle PDF rendering — but in vulnerable versions, a flaw in how it handles certain PDF content allowed attacker-controlled JavaScript to escape normal web content security restrictions and access local filesystem resources.

Overview

CVE-2015-4495 is a Same Origin Policy (SOP) bypass vulnerability in Mozilla Firefox's built-in PDF.js renderer that was actively exploited in the wild to steal files from victims' computers before Mozilla released an emergency patch. The exploit — discovered deployed in advertisement code on a Russian news website — used a specially crafted PDF to bypass Firefox's security sandbox and read arbitrary local files, then uploaded the stolen files to a remote server. Mozilla released an emergency out-of-band update Firefox 39.0.3 on August 7, 2015, one day after the exploit was discovered in active use.

Affected Versions

Technical Details

Root Cause: PDF.js Same Origin Policy Bypass

CVE-2015-4495 exploits a flaw in how Firefox's PDF.js renderer handles JavaScript within PDF content. PDF.js is executed in a privileged context within Firefox — it has access to Firefox's internal APIs including the ability to read file:// URLs (local files). A crafted PDF containing malicious JavaScript could exploit a parsing flaw to break out of the expected PDF rendering context and execute JavaScript that could:

1. Read local files — access any file readable by the user via file:// URIs, including SSH keys, configuration files, environment files, browser profiles, and documents
2. Exfiltrate data — make XMLHttpRequest calls to send stolen file contents to an attacker-controlled server

The exploit worked because PDF.js code running in the special PDF rendering context was not properly isolated from Firefox's privileged APIs despite appearing to operate in a web content context.

Real-World Exploit Behavior

The actively exploited version of the exploit specifically targeted:

• Linux users: /etc/passwd, /etc/group, /etc/hosts, /etc/hostname, /etc/issue, .bash_history, .bash_profile, .bashrc, SSH private keys (~/.ssh/id_rsa), Subversion credentials (~/.subversion/auth/), S3 credentials (~/.s3cfg), and similar developer/sysadmin files
• Windows users: similar credential and configuration file theft
• macOS users: targeted similarly

Stolen data was exfiltrated to a server with a Ukrainian IP address.

Attack Characteristics

Discovery

Security researcher Cody Crews discovered the exploit deployed in the wild and reported it to Mozilla on August 6, 2015. The exploit was found embedded in advertisement code on a Russian news site — visitors with Firefox had their files scanned and stolen without any indication beyond a brief page load pause. Mozilla responded within 24 hours with an emergency out-of-band release.

Exploitation Context

• Zero-day file theft: CVE-2015-4495 was used for targeted credential theft against developers and system administrators — the files targeted (SSH keys, S3 credentials, Subversion auth, .bashrc) indicate the attacker was specifically interested in access credentials for further infrastructure compromise
• Malvertising delivery: The exploit reached victims through compromised or purchased advertising inventory on a legitimate Russian news site, exposing any Firefox user who visited the site — not just those who opened PDFs
• Cross-platform impact: Unlike Flash exploits targeting specific OS/browser combinations, the PDF.js exploit worked against Firefox on Linux, Windows, and macOS — a significant advantage
• Responsible disclosure and rapid response: Mozilla's 24-hour turnaround from discovery to patch release was exemplary; the coordinated disclosure and immediate patch availability limited the exploitation window
• CISA KEV (2022): Added May 2022, years after the patch, reflecting continued exploitation of unpatched Firefox versions in legacy environments

Remediation

1. Update Firefox — upgrade to Firefox 39.0.3 or later (any current Firefox version is patched). Firefox 39.0.3 was released August 7, 2015.

2. Keep Firefox current — Firefox receives regular security updates; enabling automatic updates prevents vulnerability exposure windows.

3. Rotate compromised credentials — if the device ran a vulnerable Firefox version on a page with advertising content between August 2015 and the patch, assume SSH keys, S3 credentials, Subversion credentials, and other secrets stored in home directory configuration files may have been compromised. Rotate affected credentials.

4. Review access logs — for organizations with logging infrastructure, check for unauthorized access using credentials that may have been stolen during the exploitation window.