Introduction

While analyzing exposed JavaScript configuration values, I came across a **PSPDFKit license key** embedded in a client-side application.

Since PSPDFKit is a commercial PDF rendering SDK, license keys should be properly restricted and validated.

This write-up documents a **Proof of Concept (PoC)** I created to verify whether the discovered PSPDFKit license key was **valid, active, and usable from an external environment**.

> ⚠️ No exploitation, data access, or abuse was performed.

> This test was conducted strictly for **security validation and responsible disclosure** purposes.

None

Why This Matters ?

Exposing third-party service keys in frontend JavaScript can lead to:

- Unauthorized usage of paid services

- Financial loss due to license abuse

- Violation of vendor licensing terms

- Potential legal and compliance risks

For SDKs like PSPDFKit, license keys should be:

- Domain-restricted

- Environment-bound

- Never hardcoded in public JavaScript bundles

Objective

The goal of this PoC was simple:

> Can this PSPDFKit license key be used outside the original application context?

To answer this, I built a minimal standalone HTML page that attempts to load PSPDFKit using the exposed key.

Proof of Concept (PoC)

The following PoC loads PSPDFKit directly from the official CDN and initializes it with the exposed license key.

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>PSPDFKit PoC</title>
<link rel="stylesheet" href="https://unpkg.com/pspdfkit/dist/pspdfkit.css">
<script src="https://unpkg.com/pspdfkit/dist/pspdfkit.js"></script>
</head>
<body>
<div id="pdf" style="height:100vh;"></div>
<script>
console.log("PSPDFKit type:", typeof PSPDFKit);
PSPDFKit.load({
container: "#pdf",
document: "https://www.nutrient.io/downloads/nutrient-web-demo.pdf",
licenseKey: "<REDACTED_LICENSE_KEY>"
}).then(instance => {
console.log("✅ PSPDFKit Loaded Successfully", instance);
}).catch(error => {
console.error("❌ PSPDFKit Load Failed", error);
});
</script>
</body>
</html>

Expected Outcomes

✅ If the license key is **valid and unrestricted**

- The PDF loads successfully

- PSPDFKit initializes without errors

- Full viewer functionality is available

❌ If the license key is **invalid or restricted**

- SDK throws a license validation error

- PSPDFKit fails to initialize

- Error appears in browser console

Results

When executing the PoC:

- `PSPDFKit` was successfully loaded from the CDN

- The SDK initialized without license-related errors

- The demo PDF rendered correctly

This confirms that the license key was:

- Valid

- Active

- Not restricted to a specific domain or environment

Security Impact

**Severity: Medium**

Although this does not directly expose user data, it introduces:

- Financial risk (license abuse)

- Contractual and compliance risk

- Potential service disruption if the vendor revokes the key

Recommendations

To mitigate this issue:

1. Never expose PSPDFKit license keys in frontend code

2. Use **server-side license injection** where possible

3. Apply **domain and environment restrictions** in the PSPDFKit dashboard

4. Rotate exposed keys immediately

5. Audit all third-party keys shipped to production

Final Notes

Client-side configuration leaks are often overlooked because they don't "look like vulnerabilities".

In reality, **they represent real business and security risks**.

Always treat third-party keys as secrets.