You are here

Universal PDF XSS (UXSS)


This vulnerability is also known as Adobe Acrobat cross-site scripting and code execution.
The Adobe Acrobat Reader Plugin is vulnerable to cross-site scripting (XSS), caused by improper validation of input passed to PDF documents. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal or corrupt the victim's cookie-based authentication credentials or possibly obtain other sensitive information.

This vulnerability could be exploited for a Javascript code execution on clients, e.g. for information disclosure or session hijacking.


It is typically impossible to guarantee that all clients accessing your web application use a patched browser and acrobat version. We therefore recommend to let Airlock protect your clients. As mentioned in [2], the unique Airlock feature "URL encryption" can mitigate Universal PDF XSS attacks (since version 3.5).

Since version 4.0-9.28, Airlock also offers an alternative solution that works without URL encryption: The new option "Download PDFs as attachment" (Virtual Host settings) protects the client because it forces browsers to display the "Open/Save as…" dialog rather than loading he PDF in the embedded Acrobat Plug-In.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration