Author: Heige(a.k.a Superhei) of KnownSec 404 Team
Date: 03/19/2019

1 res://apds.dll/redirect.html dom xss had reported an xss vulnerability in res://apds.dll/redirect.html. And this vulnerability has not been fixed until now.

This vulnerability is a typical dom xss vulnerability form the res://apds.dll/redirect.html code:

<!DOCTYPE html>
<html xmlns="" >
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <script type="text/javascript">
        var targetParamRegex = /[\?\&]target=([^\&\#]+)/i;
        var targetResults = targetParamRegex.exec(;
        if (targetResults) {



2 from http:// domain to res:// domain

Usually accessing res:// resources via http:// domain is not allowed. The Javascript function in Adobe PDF can access multiple URLs include http(s):// file:// etc. Of course, in general, there will be security tips when you open the PDF files.

But when we use to access res:// or http(s):// by IE Adobe's PDF ActiveX plugin :

There are no security alerts. and the xss payload "alert(1)" is executed.



r.pdf code:

1 0 obj

2 0 obj <<>>
<xdp:xdp xmlns:xdp="">

    <subform name="a">

  /Pages <<>>
      /XFA 2 0 R

3 fixed?

Due to some security domain isolation of IE, the harm of res:// domain xss is limited. But I think Microsoft should actively fix the res://apds.dll/redirect.html xss vulnerability, and Adobe should disable or give corresponding security warnings when URL redirect,The world can be more beautiful and harmonious!

4 Timeline

  • October 04, 2018 Report it to Adobe PSIRT and MSRC
  • October 05, 2018 Adobe tracking number PSIRT-8981.
  • October 09, 2018 MSRC Case 47932  CRM:0461065793
  • October 18, 2018 Adobe PSIRT has been investigating and still
  • November 21, 2018 MSRC have completed our investigation and determined that the case doesn't meet the bar for immediate servicing in a security update.
  • March 19, 2019 Public
  • October 15,2019 Adobe fix it in the APSB19-49 update (CVE-2019-8160).

Paper 本文由 Seebug Paper 发布,如需转载请注明来源。本文地址: