The Zero Day Initiative (ZDI) has gone public with a Foxit PDF Reader vulnerability without a fix, because the vendor resisted patching.
The ZDI made the decision last week that the two vulns, CVE-2017-10951 and CVE-2017-10952, warranted release so at least some of Foxit's 400 million users could protect themselves.
In both cases, the only chance at mitigation is to use the software's "Secure Mode" when opening files, something that users might skip in normal circumstances.
CVE-2017-10951 allows the the app.launchURL method to execute a system call from a user-supplied string, with insufficient validation.
Foxit Software appears to be content to suggest users run its wares in Safe Mode, as its security advisories home page offers that advice for bugs identified in 2011.