Apryse WebViewer Core & UI Notes Panel
Elite AI hackers aren’t born. They’re trained.
Elite AI hackers aren’t born. They’re trained.
Apryse WebViewer Core & UI Notes Panel
v11.8 (Core bundle)
Malicious PDF annotations containing XSS payloads in the “Author” field execute when a user interacts with the comments/notes panel.
The author string travels from the PDF (Core layer) to React component props (UI layer). When a user triggers a React state change (like typing a comment), the he() function (a React internal helper) assigns the unsanitized author string directly to innerHTML. The payload is “stored” within the document’s metadata.