react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js
If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.