CVE-2017-2929 Adobe CVE debrief

Who should care

Administrators and security teams managing Chrome environments where the Adobe Acrobat Chrome extension is installed, especially if older extension versions may still be present.

Technical summary

NVD classifies this issue as CWE-79 (cross-site scripting) with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, score 6.1. The vulnerable CPE entry names adobe:acrobat:15.1.0.3 and earlier in the Chrome extension context. Because the flaw is DOM-based XSS, attacker-controlled input can be handled unsafely in the browser extension and may enable JavaScript execution when a user interacts with content.

Defensive priority

Medium. The issue requires user interaction and is not known here as a KEV item, but it can result in JavaScript execution in a browser-integrated Adobe component, so affected deployments should be patched or removed promptly.

Recommended defensive actions

• Update Adobe Acrobat Chrome extension to a version newer than 15.1.0.3 using Adobe’s guidance in APSB17-03.
• Audit managed endpoints for the affected Acrobat Chrome extension version and verify no legacy installations remain.
• Treat untrusted content opened in the affected browser-extension workflow as potentially unsafe until remediation is confirmed.
• Prioritize remediation in environments where users commonly open PDF-related content in Chrome with the Adobe extension enabled.

Evidence notes

The debrief is based on NVD metadata and Adobe’s referenced advisory link. NVD lists the vulnerable product scope as adobe:acrobat:15.1.0.3 and earlier and identifies CWE-79 with CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vendor advisory reference is https://helpx.adobe.com/security/products/acrobat/apsb17-03.html. No KEV enrichment is present in the supplied corpus.

Official resources