cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mozillian
Making moves
Status: New idea

I mean... Who even uses PDF Scripting except malicious actors?

11 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

marco
Employee
Employee

@mozillianthe federal government of the United States is using JavaScript in many PDF forms, for example the ones used by citizens to submit their taxes.

If you consider the U.S. federal government to be a malicious actor, you should know other governments too use JS in PDFs, e.g. at least Italy and the United Kingdom.

Jokes aside, you can rest assured that the implementation in our PDF viewer is the most secure JS implementation possible. As the PDF viewer is basically a web page (being itself written in HTML, CSS and JavaScript). So in Firefox, JS in a PDF has exactly the same level of security as JS in a web page.

That said, in about:config, you can use the pdfjs.enableScripting preference to disable JS in PDFs and the javascript.enabled preference to disable JS in web pages.

mozillian
Making moves

@marcoi have no doubts on the security of the implementation of Javascript in PDF files, though is it at all possible you guys could at least add an "Enable javascript?" pop-up when a PDF file requests it? Just in case

marco
Employee
Employee

If we did that, we would need to do the same for JavaScript in normal web pages too, as they have basically the same security characteristics. It would be a pretty bad user experience.

mozillian
Making moves

Uhh, the browser can't distinguish between a PDF file that's either local or online and an html website?

marco
Employee
Employee

The browser can distinguish between them, but, as I said above, they have exactly the same security characteristics. JavaScript in a PDF can't do anything more than JavaScript in a website.

Given that, why would we treat JavaScript in a PDF differently than JavaScript in a website?

mozillian
Making moves

I mean, you can't use extensions on local pdf files, that's already treating the files different as you still can do so on local html files

marco
Employee
Employee

@mozillianthe files can be treated differently by the browser, that's not a problem.

The thing is that there's no point disabling JavaScript exclusively in PDFs, because it's not a security risk.

If you can think of other reasons why JavaScript should be disabled in PDFs outside security, feel free to suggest it and we'll consider it!

mozillian
Making moves

I mean, people don't expect PDF files to use javascript, other then possibly somehow being leveraged for compromising security, (unsure) they might somehow be used to track how the people interact with the file? Or possibly a malicious actor might just use javascript to trigger somebodies epilepsy by flashing colors on & off on people's screens... I honestly don't know how much javascript firefox allows to be in pdf files but in the end if it's the same amount as html websites then that might be leveraged just to cause inconvenient stuff possibly, and it's not like this is a very-very essential feature that people use everyday so why risk it instead of showing a small pop-up that'll probably bother a normal user like once every 2 years or something and possibly just have a "remember option" button in the settings? That aside, a truly dedicated malicious actor would probably find some way to leverage it for their own benefit, and a truly dedicated malicious actor is probably up to no simple troll.

marco
Employee
Employee

@mozillian  the thing is: the same applies to normal websites. E.g. a malicious actor might use javascript to trigger somebody epilepsy by flashing colors on normal websites just as on PDFs.

If we believe JavaScript in Firefox is risky, then it is risky exactly in the same way in PDFs as in normal websites and we would need to block its execution and ask the user in both normal websites and PDFs. There is no point in making a difference because the characteristics are basically the same.

In other readers the situation is very different because they are native and so prone to security bugs.

OldSchoolGuy
New member

I know this thread is pretty old, but I have to chime in because I use No-Script to handle java execution on websites for security. Surfing the web without No-Script is like having sex with random people without using protection. It's just a matter of time before you catch an STD. Using No-Script, in conjunction with an option to disable java in PDF files viewed in Firefox, would be ideal, as I use Firefox to view PDF files by default. The fact that most all PDF files are compressed with high entropy is cause for concern at the very least. AV databases cannot detect malicious code embedded in PDF files in the wild that are novel. If a website does not load properly when I have No-Script running, I usually just leave that site and don't go there unless I trust the site 100%. There is no "running away" from a compressed PDF file with unknown java that runs when you open it.