Macabely

**Name of the Vulnerable Software and Affected Versions** SandboxJS versions prior to 0.9.6 **Description** Sandbox-defined functions expose the `Function.caller` property, which allows sandboxed code to recover the internal `LispType.Call` runtime callback. An attacker can invoke this callback using forged `context` and `obj` values to extract blocked host statics and recover the real host Function constructor. This process enables a total sandbox escape, allowing the execution of arbitrary host JavaScript. The issue stems from property access logic where sandboxed code can access `caller`, `callee`, and `arguments` properties on functions, specifically leaking the host-side callback in CommonJS builds. The `LispType.Call` handler is vulnerable because it accepts a parameters object and uses its fields without verifying they originated from the executor. **Recommendations** Update to version 0.9.6.

**Name of the Vulnerable Software and Affected Versions** jsPDF versions prior to 4.2.0 **Description** jsPDF is a JavaScript library used to generate PDF documents. Prior to version 4.2.0, the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions, through user-controlled input. This can lead to the execution of these actions when a user interacts with the PDF, such as hovering over a radio option. The vulnerability stems from a lack of sanitization of input passed to the Acroform module's properties and methods. **Recommendations** Versions prior to 4.2.0 should be updated to version 4.2.0 or later. As a workaround, sanitize user input before passing it to the vulnerable API members of the Acroform module.