Foxit Web Plugins (webplugins.foxit.com/calculator/commands.html)
Elite AI hackers aren’t born. They’re trained.
Elite AI hackers aren’t born. They’re trained.
Foxit Web Plugins (webplugins.foxit.com/calculator/commands.html)
Identified on the live production domain.
A postMessage handler fails to validate the actual sender’s origin, allowing an attacker to inject a remote script tag into the Foxit domain.
The handler incorrectly validates event.data.origin (a string inside the attacker-controlled JSON payload) instead of the browser-enforced event.origin. By passing {"origin": "FoxitApp"}, an attacker can reach a code path that accepts an externalPath URL and appends it to the DOM as a new <script> tag.