From 5411c9a3cfbd1274438899ae47d2b4f3eaddfd74 Mon Sep 17 00:00:00 2001
From: Eren-Akdag <meakdaggg@gmail.com>
Date: Sat, 10 Jan 2026 04:06:45 +0300
Subject: [PATCH] fix: pdfjs-content-spoofing template false positive reduction

---
 headless/mozilla-pdfjs-content-spoofing.yaml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/headless/mozilla-pdfjs-content-spoofing.yaml b/headless/mozilla-pdfjs-content-spoofing.yaml
index 01df4ff8e39..ab1d2a86bd5 100644
--- a/headless/mozilla-pdfjs-content-spoofing.yaml
+++ b/headless/mozilla-pdfjs-content-spoofing.yaml
@@ -2,7 +2,7 @@ id: pdfjs-content-spoofing
 
 info:
   name: Mozilla PDF.js - Content Spoofing
-  author: 0x_Akoko
+  author: 0x_Akoko,s4e-io
   severity: medium
   description: |
     Detected PDF.js viewer loads and renders external PDF files without proper origin validation. Versions < v1.3.91 are vulnerable to content spoofing attacks.
@@ -44,7 +44,9 @@ headless:
       - type: word
         part: body
         words:
-          - "pdf.js"
+          - "viewerContainer"
+          - "pdfViewer"
+        condition: and
 
       - type: word
         part: body
@@ -53,5 +55,4 @@ headless:
           - "file origin does not match"
           - "blocked"
           - "Not Found"
-        condition: or
-# digest: 490a0046304402207dc1eb1cfd5bc25039d729f591a15f5a9a37667ed6ad50d1c1c73fe20004b9a8022071080c75bcced708e51b213a2d9887954d7145d3666a5b1de77a04eb08905a67:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+        condition: or
\ No newline at end of file