jsPDF library versions prior to 4.2.1 contain a vulnerability that allows attackers to inject arbitrary HTML and scripts into browser contexts when PDFs are opened. The vulnerability stems from insufficient sanitization of the options argument in the output function. Attackers can exploit this through web interfaces by providing malicious output options that get passed to victims. When victims create and open PDFs with the malicious payload, scripts execute in their browser context, potentially allowing extraction or modification of secrets. The vulnerability has been patched in version 4.2.1, and users can mitigate by sanitizing input before passing to the output method.