How to update pdf.js plugin through gallery?

Software Support
,
1

Describe the issue or problem

System scan detected vulnerability in pdf.js plugin. Don’t want to update whole OJS and want to update only plugin. I’ve downloaded newest pdf.js plugin from Mozilla site, replaced mjs instances to js so paths outside of plugin wouldn’t be broken (according to search it should not broke plugin itself) but cannot upload repackaged file to OJS.

I am constanly getting ‘archive doesn’t contain folder with correct plugin name’.

How exactly should look tree of said .tar.gz archive to correctly upload to OJS?

Steps I took leading up to the issue

  1. download newest version of pdf.js plugin from Mozilla site in .zip

  2. unpack, change core name to pdf.js and pack with tar cfz pdf.js.tar.gz pdf.js

  3. upload file through plugin gallery

What application are you using?
OJS 3.4.0.5

2

Hi @Mikolaj,

Do you have an option to update the plugin directly in the plugin gallery (Website → Plugins - > Installed plugins):

Screenshot 2025-12-19 at 8.37.49 AM
Screenshot 2025-12-19 at 8.37.49 AM1486×232 22.1 KB

This method of updating is preferred over updating manually, because it ensures that the version you’ll be upgrading to is compatible with your given OJS version. If you don’t see an upgrade option, that’s likely because you’re using the most recent compatible version of the plugin.

-Roger
PKP Team

4

Clicking Upgrade takes me to upload window, no offer of use something prepackaged.

Info from inspection tool (OWASP ZAP):

The identified library pdf.js, version 2.6.347 is vulnerable. CVE-2024-4367 https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6 https://github.com/mozilla/pdf.js/pull/18015
https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq https://github.com/mozilla/pdf.js https://github.com/advisories/GHSA-wgrm-67xf-hhpq

5

Hi @Mikolaj,

You could try applying this patch to your 3.4.0-x installation – however, please take a backup first, and note that this hasn’t been tested. I do suspect it’ll work. Make sure to flush your browser cache.

See Update pdf.js library to the latest version · Issue #69 · pkp/pdfJsViewer · GitHub for details.

Regards,
Alec Smecher
Public Knowledge Project Team