A talk on how we have moved from local clients (Adobe, etc) to browsers and online services to render, view, edit, and sign PDF files, and how this has changed the role of PDFs in attacks and exploitations. From the false-positive vulnerabilities (CVE-2020-26505, CVE-2023-0108, CVE-2023-5873, and other CVEs that were not vulnerabilities) to vulnerabilities in client-side PDF SDKs.

During the talk, we will investigate some cross-site-scripting vulnerabilities exploited in the real world (e.g. bug bounty programs), focusing in particular on PDF.js (CVE-2018-5158, and CVE-2024-4367) and Apryse Webviewer (CVE-2024-4327, and CVE-2024-29359).
The talk will show how a PDF file can exploit web applications if they don't properly mitigate risks (using CSP, and keeping the dependencies updated).