Security Scan complains about js version

Hello, When we ran vulnerability scan on our website, we received the following error complaining about the js version being Vulnerable id”: “668d212f95d9ec8621dd5079”, “status”: “OPEN”, “Name”: “Vulnerable JS Library”, “Description”: “<p>The identified library appears to be vulnerable.</p>”, “Solution”: “<p>Upgrade to the latest version of the affected library.</p>”, “Reference”: “<p> https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/</p>” ;, “CWE Id”: “1395”, “Instances”: [ { “uri”: “ https://www.xxx.com/wp-content/plugins/pdf-embedder/assets/js/pdfjs/pdf.min.js?ver=2.2.228” ;, “method”: “GET”, “param”: “”, “attack”: “”, “evidence”: “messageHandler.sendWithPromise(\”GetDocRequest\”,{docId:n,apiVersion:\”2.2.228\””, “otherinfo”: “ The identified library pdf.js, version 2.2.228 is vulnerable. \nCVE-2024-4367\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645\nhttps://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\nhttps://github.com/mozilla/pdf.js/pull/18015\nhttps://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\nhttps://github.com/mozilla/pdf.js\nhttps://github.com/advisories/GHSA-wgrm-67xf-hhpq\n”, “requestHeader”: “GET https://www.xxxx.com/wp-content/plugins/pdf-embedder/assets/js/pdfjs/pdf.min.js?ver=2.2.228 HTTP/1.1\r\nhost: http://www.xxx.com \r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\r\npragma: no-cache\r\ncache-control: no-cache\r\nreferer: https://www.xxx.com/” ;, “requestBody”: “”, “responseHeader”: “HTTP/1.1 200 OK\r\nDate: Sun, 16 Nov 2025 02:15:57 GMT\r\nContent-Type: application/javascript\r\nConnection: keep-alive\r\nCF-RAY: 99f37bc77ed94211-EWR\r\nlast-modified: Tue, 01 Apr 2025 17:54:29 GMT\r\nvary: Accept-Encoding\r\netag: W/\”67ec2855-51b09\”\r\nexpires: Mon, 16 Mar 2026 02:15:57 GMT\r\nCache-Control: public, max-age=10368000\r\nx-rocket-nginx-serving-static: BYPASS\r\nstrict-transport-security: max-age=31536000;\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\nx-frame-options: SAMEORIGIN\r\nreferrer-policy: no-referrer-when-downgrade\r\ncontent-security-policy: default-src * ‘unsafe-inline’ ‘unsafe-eval’ data: blob:;\r\nCF-Cache-Status: HIT\r\nAge: 4461558\r\nspeculation-rules: \”/cdn-cgi/speculation\”\r\nServer: cloudflare\r\nalt-svc: h3=\”:443\”; ma=86400\r\ncontent-length: 334601\r\n\r\n”, “responseBody”: “!function(e,t){\”object\”==typeof exports&&\”object\”==typeof module?module.exports=t():\”function\”==typeof define&&define.amd?define(\”pdfjs-dist/build/pdf\”,[],t):\”object\”==typeof exports?exports[\”pdfjs-dist/build/pdf\”]=t():e[\”pdfjs-dist/build/pdf\”]=e.pdfjsLib=t()}(this,function(){return function(e){var t={};function r(n){if(t[n])return t[n].exports;var i=t[n]={i:n,l:!1,exports:{}};return e[n].call(i.exports,i,i.exports,r),i.l=!0,i.exports}return r.m=e,r.c=t,r.d=function(e,t,n){r.o(e,t)||Object.defin…(truncated)” } ], Hi @ramgarimella , Thanks for getting in touch! Please know that we are no longer affected by this vulnerability, as we fixed it back when we released PDF Embedder v4.8.0 (you can read a changelog here ), in June 2024. In case it helps to know, it is not the whole PDF.js library that is affected, but only its font-rendering part. We’ve disabled the related font-rendering part of the PDF.js library codebase. Additionally, our plugin has been reviewed by independent researchers who confirmed that we are no longer affected. Please see our report here: https://wpscan.com/plugin/pdf-embedder/ I hope this helps with clarification, and please don’t hesitate to let me know if you have any other questions!