The vulnerability exists due to incorrect verification of cryptographic signature when handling certain signed documents that contain JavaScript. A remote attacker can manipulate document content and deceive users into trusting the manipulated documents.