Updated The Zero Day Initiative (ZDI) has gone public with a Foxit PDF Reader vulnerability without a fix, because the vendor resisted patching.
The ZDI made the decision last week that the two vulns, CVE-2017-10951 and CVE-2017-10952, warranted release so at least some of Foxit's 400 million users could protect themselves.
In both cases, the only chance at mitigation is to use the software's "Secure Mode" when opening files, something that users might skip in normal circumstances.
CVE-2017-10951 allows the the app.launchURL method to execute a system call from a user-supplied string, with insufficient validation.
Both are restricted to execution with the user's rights.
ZDI went public after its usual 120-day cycle because the authors made it clear no fix was coming, with this response:
Foxit Software appears to be content to suggest users run its wares in Safe Mode, as its security advisories home page offers that advice for bugs identified in 2011.
The company did patch a dirty dozen bugs in 2016. ®
Update: On August 22, Foxit decided mitigation is necessary, as noted here.