Foxit Webplugins XSS

MEDIUM (6.3) No Patch
cwe-79browser-pluginfoxitjavascript-executionweb-applicationwebpluginsxss

Threat Intelligence

Low Risk
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Foxit Webplugins is a web application that provides plugins for various browsers. This vulnerability exists in the postMessage handler, which fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received.

Am I affected?

Specific version info not stated in the advisory.

Affected Products

Foxit Software / Webplugins

How to fix

Concrete steps:

  1. Upgrade to Foxit Webplugins version 2.x or later.
  2. Download from: https://www.foxit.com/downloads

Immediate mitigations:
- Restrict network access to your Foxit Webplugins instance (firewall it from the public internet)
- Audit admin account activity for suspicious access patterns
- Monitor for unauthorized token creation

References